cti/mobile-attack/attack-pattern/attack-pattern--52eff1c7-dd30-4121-b762-24ae6fa61bbb.json

{
    "type": "bundle",
    "id": "bundle--d98a2ca1-e1b9-4745-9aaa-045b33743484",
    "spec_version": "2.0",
    "objects": [
        {
            "x_mitre_platforms": [
                "Android"
            ],
            "x_mitre_domains": [
                "mobile-attack"
            ],
            "object_marking_refs": [
                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
            ],
            "type": "attack-pattern",
            "id": "attack-pattern--52eff1c7-dd30-4121-b762-24ae6fa61bbb",
            "created": "2020-04-28T14:35:37.309Z",
            "x_mitre_version": "2.0",
            "external_references": [
                {
                    "source_name": "mitre-attack",
                    "external_id": "T1575",
                    "url": "https://attack.mitre.org/techniques/T1575"
                },
                {
                    "source_name": "Google NDK Getting Started",
                    "url": "https://developer.android.com/ndk/guides",
                    "description": "Google. (2019, December 27). Getting Started with the NDK. Retrieved April 28, 2020."
                },
                {
                    "source_name": "MITRE App Vetting Effectiveness",
                    "url": "https://www.mitre.org/sites/default/files/publications/pr-16-4772-analyzing-effectiveness-mobile-app-vetting-tools-report.pdf",
                    "description": "M. Peck, C. Northern. (2016, August 22). Analyzing the Effectiveness of App Vetting Tools in the Enterprise. Retrieved April 28, 2020."
                }
            ],
            "x_mitre_deprecated": false,
            "revoked": false,
            "description": "Adversaries may use Android\u2019s Native Development Kit (NDK) to write native functions that can achieve execution of binaries or functions. Like system calls on a traditional desktop operating system, native code achieves execution on a lower level than normal Android SDK calls.\n\nThe NDK allows developers to write native code in C or C++ that is compiled directly to machine code, avoiding all intermediate languages and steps in compilation that higher level languages, like Java, typically have. The Java Native Interface (JNI) is the component that allows Java functions in the Android app to call functions in a native library.(Citation: Google NDK Getting Started)\n\nAdversaries may also choose to use native functions to execute malicious code since native actions are typically much more difficult to analyze than standard, non-native behaviors.(Citation: MITRE App Vetting Effectiveness)",
            "modified": "2022-04-08T15:46:24.495Z",
            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "name": "Native API",
            "x_mitre_detection": "This is abuse of standard OS-level APIs and are therefore typically undetectable to the end user.",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "mitre-mobile-attack",
                    "phase_name": "defense-evasion"
                },
                {
                    "kill_chain_name": "mitre-mobile-attack",
                    "phase_name": "execution"
                }
            ],
            "x_mitre_is_subtechnique": false,
            "x_mitre_tactic_type": [
                "Post-Adversary Device Access"
            ],
            "x_mitre_attack_spec_version": "2.1.0",
            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
        }
    ]
}