cti/mobile-attack/attack-pattern/attack-pattern--53263a67-075e-48fa-974b-91c5b5445db7.json

{
    "type": "bundle",
    "id": "bundle--ddf19aac-906d-42aa-974c-c7c5599c4ebd",
    "spec_version": "2.0",
    "objects": [
        {
            "x_mitre_platforms": [
                "Android",
                "iOS"
            ],
            "x_mitre_domains": [
                "mobile-attack"
            ],
            "object_marking_refs": [
                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
            ],
            "type": "attack-pattern",
            "id": "attack-pattern--53263a67-075e-48fa-974b-91c5b5445db7",
            "created": "2018-10-17T00:14:20.652Z",
            "x_mitre_version": "1.2",
            "external_references": [
                {
                    "source_name": "mitre-attack",
                    "external_id": "T1476",
                    "url": "https://attack.mitre.org/techniques/T1476"
                },
                {
                    "source_name": "IBTimes-ThirdParty",
                    "url": "https://www.ibtimes.co.uk/danger-lurks-third-party-android-app-stores-1544861",
                    "description": "A Prasad. (2016, February 19). Danger lurks in third-party Android app stores. Retrieved November 8, 2018."
                },
                {
                    "source_name": "TrendMicro-RootingMalware",
                    "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/user-beware-rooting-malware-found-in-3rd-party-app-stores/",
                    "description": "Jordan Pan. (2016, February 10). User Beware: Rooting Malware Found in 3rd Party App Stores. Retrieved November 8, 2018."
                },
                {
                    "source_name": "android-trojan-steals-paypal-2fa",
                    "url": "https://www.welivesecurity.com/2018/12/11/android-trojan-steals-money-paypal-accounts-2fa/",
                    "description": "Luk\u00e1\u0161 \u0160tefanko. (2018, December 11). Android Trojan steals money from PayPal accounts even with 2FA on. Retrieved July 11, 2019."
                },
                {
                    "source_name": "TrendMicro-FlappyBird",
                    "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/flappy-bird-and-third-party-app-stores/",
                    "description": "Veo Zhang. (2014, February 18). Flappy Bird and Third-Party App Stores. Retrieved November 8, 2018."
                },
                {
                    "url": "https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-9.html",
                    "source_name": "NIST Mobile Threat Catalogue",
                    "external_id": "AUT-9"
                },
                {
                    "url": "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-13.html",
                    "source_name": "NIST Mobile Threat Catalogue",
                    "external_id": "ECO-13"
                },
                {
                    "url": "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-21.html",
                    "source_name": "NIST Mobile Threat Catalogue",
                    "external_id": "ECO-21"
                }
            ],
            "x_mitre_deprecated": true,
            "revoked": false,
            "description": "Malicious applications are a common attack vector used by adversaries to gain a presence on mobile devices. This technique describes installing a malicious application on targeted mobile devices without involving an authorized app store (e.g., Google Play Store or Apple App Store). Adversaries may wish to avoid placing malicious applications in an authorized app store due to increased potential risk of detection or other reasons. However, mobile devices often are configured to allow application installation only from an authorized app store which would prevent this technique from working.\n\nDelivery methods for the malicious application include:\n\n* [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001) - Including the mobile app package as an attachment to an email message.\n* [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002) - Including a link to the mobile app package within an email, text message (e.g. SMS, iMessage, Hangouts, WhatsApp, etc.), web site, QR code, or other means.\n* Third-Party App Store - Installed from a third-party app store (as opposed to an authorized app store that the device implicitly trusts as part of its default behavior), which may not apply the same level of scrutiny to apps as applied by an authorized app store.(Citation: IBTimes-ThirdParty)(Citation: TrendMicro-RootingMalware)(Citation: TrendMicro-FlappyBird)\n\nSome Android malware comes with functionality to install additional applications, either automatically or when the adversary instructs it to.(Citation: android-trojan-steals-paypal-2fa)",
            "modified": "2022-04-06T15:41:16.863Z",
            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "name": "Deliver Malicious App via Other Means",
            "x_mitre_detection": "* An EMM/MDM or mobile threat defense solution may be able to identify the presence of apps installed from sources other than an authorized app store. \n* An EMM/MDM or mobile threat defense solution may be able to identify Android devices configured to allow apps to be installed from \"Unknown Sources\".\n* Enterprise email security solutions can identify the presence of Android or iOS application packages within email messages.",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "mitre-mobile-attack",
                    "phase_name": "initial-access"
                }
            ],
            "x_mitre_is_subtechnique": false,
            "x_mitre_tactic_type": [
                "Post-Adversary Device Access"
            ],
            "x_mitre_attack_spec_version": "2.1.0",
            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
        }
    ]
}