Jared Ondricek
83 lines
6.0 KiB
JSON
83 lines
6.0 KiB
JSON
{
|
|
"type": "bundle",
|
|
"id": "bundle--6f751e45-8d4c-42d9-9351-faac3fc36e3e",
|
|
"spec_version": "2.0",
|
|
"objects": [
|
|
{
|
|
"modified": "2023-03-20T18:50:21.363Z",
|
|
"name": "Location Tracking",
|
|
"description": "Adversaries may track a device\u2019s physical location through use of standard operating system APIs via malicious or exploited applications on the compromised device. \n\n \n\nOn Android, applications holding the `ACCESS_COAURSE_LOCATION` or `ACCESS_FINE_LOCATION` permissions provide access to the device\u2019s physical location. On Android 10 and up, declaration of the `ACCESS_BACKGROUND_LOCATION` permission in an application\u2019s manifest will allow applications to request location access even when the application is running in the background.(Citation: Android Request Location Permissions) Some adversaries have utilized integration of Baidu map services to retrieve geographical location once the location access permissions had been obtained.(Citation: PaloAlto-SpyDealer)(Citation: Palo Alto HenBox) \n\n \n\nOn iOS, applications must include the `NSLocationWhenInUseUsageDescription`, `NSLocationAlwaysAndWhenInUseUsageDescription`, and/or `NSLocationAlwaysUsageDescription` keys in their `Info.plist` file depending on the extent of requested access to location information.(Citation: Apple Requesting Authorization for Location Services) On iOS 8.0 and up, applications call `requestWhenInUseAuthorization()` to request access to location information when the application is in use or `requestAlwaysAuthorization()` to request access to location information regardless of whether the application is in use. With elevated privileges, an adversary may be able to access location data without explicit user consent with the `com.apple.locationd.preauthorized` entitlement key.(Citation: Google Project Zero Insomnia)",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "mitre-mobile-attack",
|
|
"phase_name": "collection"
|
|
},
|
|
{
|
|
"kill_chain_name": "mitre-mobile-attack",
|
|
"phase_name": "discovery"
|
|
}
|
|
],
|
|
"x_mitre_deprecated": false,
|
|
"x_mitre_detection": "Android applications requesting the `ACCESS_COARSE_LOCATION`, `ACCESS_FINE_LOCATION`, or `ACCESS_BACKGROUND_LOCATION` permissions and iOS applications including the `NSLocationWhenInUseUsageDescription`, `NSLocationAlwaysAndWhenInUseUsageDescription`, and/or `NSLocationAlwaysUsageDescription` keys in their `Info.plist` file could be scrutinized during the application vetting process. \n\n \n\nIn both Android (6.0 and up) and iOS, users can view which applications have the permission to access the device location through the device settings screen and revoke permissions as necessary. ",
|
|
"x_mitre_domains": [
|
|
"mobile-attack"
|
|
],
|
|
"x_mitre_is_subtechnique": false,
|
|
"x_mitre_platforms": [
|
|
"Android",
|
|
"iOS"
|
|
],
|
|
"x_mitre_version": "1.2",
|
|
"x_mitre_tactic_type": [
|
|
"Post-Adversary Device Access"
|
|
],
|
|
"type": "attack-pattern",
|
|
"id": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4",
|
|
"created": "2017-10-25T14:48:12.267Z",
|
|
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
|
|
"revoked": false,
|
|
"external_references": [
|
|
{
|
|
"source_name": "mitre-attack",
|
|
"url": "https://attack.mitre.org/techniques/T1430",
|
|
"external_id": "T1430"
|
|
},
|
|
{
|
|
"source_name": "Palo Alto HenBox",
|
|
"description": "A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019.",
|
|
"url": "https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/"
|
|
},
|
|
{
|
|
"source_name": "Android Request Location Permissions",
|
|
"description": "Android Developers. (2022, March 24). Request Location Permissions. Retrieved April 1, 2022.",
|
|
"url": "https://developer.android.com/training/location/permissions"
|
|
},
|
|
{
|
|
"source_name": "Apple Requesting Authorization for Location Services",
|
|
"description": "Apple Developers. (n.d.). Requesting Authorization for Location Services. Retrieved April 1, 2022.",
|
|
"url": "https://developer.apple.com/documentation/corelocation/requesting_authorization_for_location_services"
|
|
},
|
|
{
|
|
"source_name": "Google Project Zero Insomnia",
|
|
"description": "I. Beer. (2019, August 29). Implant Teardown. Retrieved June 2, 2020.",
|
|
"url": "https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html"
|
|
},
|
|
{
|
|
"source_name": "PaloAlto-SpyDealer",
|
|
"description": "Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018.",
|
|
"url": "https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/"
|
|
},
|
|
{
|
|
"source_name": "NIST Mobile Threat Catalogue",
|
|
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-24.html",
|
|
"external_id": "APP-24"
|
|
}
|
|
],
|
|
"object_marking_refs": [
|
|
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
|
|
],
|
|
"x_mitre_attack_spec_version": "3.1.0",
|
|
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
|
|
}
|
|
]
|
|
} |