{ "type": "bundle", "id": "bundle--7ba9d734-46d5-48cf-a9a5-f210a3f07706", "spec_version": "2.0", "objects": [ { "type": "x-mitre-analytic", "id": "x-mitre-analytic--2867d1e0-cf83-4d83-bc6c-cc03404c3521", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0676#AN1778", "external_id": "AN1778" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-01-29T19:36:34.664Z", "name": "Analytic 1778", "description": "Defender correlates an app preparing to phish (gaining overlay/notification/accessibility capability) with precise foreground targeting (reading activity in front via accessibility/focus) and then presenting a look-alike UI (overlay window or activity-on-top) immediately before local storage or small-burst egress of entered data. Chain: capability/permission \u2192 target app in foreground detected \u2192 overlay/activity-on-top or fake notification tap \u2192 local prompt input write \u2192 near-term network egress.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "Android" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--1887a270-576a-4049-84de-ef746b2572d6", "name": "android:logcat", "channel": "Grant/enablement of SYSTEM_ALERT_WINDOW, BIND_ACCESSIBILITY_SERVICE, POST_NOTIFICATIONS for " }, { "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", "name": "android:logcat", "channel": "TYPE_WINDOW_STATE_CHANGED / TYPE_VIEW_FOCUSED shows foreign target package in foreground" }, { "x_mitre_data_component_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", "name": "android:logcat", "channel": "addView TYPE_APPLICATION_OVERLAY|TYPE_APPLICATION_ATTACHED_DIALOG shown over " }, { "x_mitre_data_component_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", "name": "android:logcat", "channel": "startActivity on top of (launchMode/singleTop), task switch immediately after focus" }, { "x_mitre_data_component_ref": "x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c", "name": "android:logcat", "channel": "CREATE/WRITE to /data/data//(files|databases)/(creds|form|prompt).*\\\\.(db|sqlite|json|txt)" } ], "x_mitre_mutable_elements": [ { "field": "TimeWindowSeconds", "description": "Max time from overlay/activity to persist/exfil (e.g., 5\u201360s)." }, { "field": "OverlayRequired", "description": "Require overlay evidence unless activity-on-top is observed (true/false)." }, { "field": "TargetPkgWatchlist", "description": "List of high-value target packages (banking, identity) to raise severity." }, { "field": "PersistPathRegex", "description": "Regex for local prompt data artifacts." }, { "field": "ExfilDomainAllowlist", "description": "Known-good analytics/CDN/service domains to suppress FPs." }, { "field": "UserContext", "description": "Work Profile/Kiosk mode/Accessibility allowlist to scope benign cases." } ] } ] }