misp-galaxy/clusters/mitre-mobile-attack-malware...

512 lines
22 KiB
JSON
Raw Blame History

This file contains ambiguous Unicode characters!

This file contains ambiguous Unicode characters that may be confused with others in your current locale. If your use case is intentional and legitimate, you can safely ignore this warning. Use the Escape button to highlight these characters.

{
"name": "Mobile Attack - Malware",
"type": "mitre-mobile-attack-malware",
"description": "Name of ATT&CK software",
"version": 2,
"source": "https://github.com/mitre/cti",
"uuid": "04a165aa-1708-11e8-b2da-c7d7625f4a4f",
"authors": [
"MITRE"
],
"values": [
{
"description": "AndroRAT \"allows a third party to control the device and collect information such as contacts, call logs, text messages, device location, and audio from the microphone. It is now used maliciously by other actors.\" (Citation: Lookout-EnterpriseApps)\n\nAliases: AndroRAT",
"value": "AndroRAT - MOB-S0008",
"meta": {
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0008",
"https://blog.lookout.com/blog/2016/05/25/spoofed-apps/"
],
"synonyms": [
"AndroRAT"
]
},
"uuid": "a3dad2be-ce62-4440-953b-00fbce7aba93"
},
{
"description": "Android malware described by Kaspersky (Citation: Kaspersky-MobileMalware).\n\nAliases: Trojan-SMS.AndroidOS.Agent.ao",
"value": "Trojan-SMS.AndroidOS.Agent.ao - MOB-S0023",
"meta": {
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0023",
"https://securelist.com/analysis/kaspersky-security-bulletin/58335/mobile-malware-evolution-2013/"
],
"synonyms": [
"Trojan-SMS.AndroidOS.Agent.ao"
]
},
"uuid": "a1867c56-8c86-455a-96ad-b0d5f7e2bc17"
},
{
"description": "DualToy is Windows malware that installs malicious applications onto Android and iOS devices connected over USB (Citation: PaloAlto-DualToy).\n\nAliases: DualToy",
"value": "DualToy - MOB-S0031",
"meta": {
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0031"
],
"synonyms": [
"DualToy"
]
},
"uuid": "507fe748-5e4a-4b45-9e9f-8b1115f4e878"
},
{
"description": "On jailbroken iOS devices, (Citation: KeyRaider) steals Apple account credentials and other data. It \"also has built-in functionality to hold iOS devices for ransom.\" (Citation: KeyRaider)\n\nAliases: (Citation: KeyRaider)",
"value": "KeyRaider - MOB-S0004",
"meta": {
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0004",
"http://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/"
],
"synonyms": [
"KeyRaider"
]
},
"uuid": "3bc1f0ad-ef11-4afc-83c0-fcffe08d4e50"
},
{
"description": "Brain Test is a family of Android malware described by CheckPoint (Citation: CheckPoint-BrainTest) and Lookout (Citation: Lookout-BrainTest).\n\nAliases: BrainTest",
"value": "BrainTest - MOB-S0009",
"meta": {
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0009",
"http://blog.checkpoint.com/2015/09/21/braintest-a-new-level-of-sophistication-in-mobile-malware/",
"https://blog.lookout.com/blog/2016/01/06/brain-test-re-emerges/"
],
"synonyms": [
"BrainTest"
]
},
"uuid": "e13d084c-382f-40fd-aa9a-98d69e20301e"
},
{
"description": "Lookout states that some variants of the Shedun, Shuanet, and ShiftyBug/Kemoge Android malware families \"have 71 percent to 82 percent code similarity\" (Citation: Lookout-Adware), even though they \"dont believe these apps were all created by the same author or group\".\n\nAliases: Shedun, Shuanet, ShiftyBug, Kemoge",
"value": "Shedun - MOB-S0010",
"meta": {
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0010",
"https://blog.lookout.com/blog/2015/11/04/trojanized-adware/"
],
"synonyms": [
"Shedun",
"Shuanet",
"ShiftyBug",
"Kemoge"
]
},
"uuid": "c80a6bef-b3ce-44d0-b113-946e93124898"
},
{
"description": "Android malware family analyzed by Trend Micro (Citation: TrendMicro-DressCode)\n\nAliases: DressCode",
"value": "DressCode - MOB-S0016",
"meta": {
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0016",
"http://blog.trendmicro.com/trendlabs-security-intelligence/dresscode-potential-impact-enterprises/"
],
"synonyms": [
"DressCode"
]
},
"uuid": "ff742eeb-1f90-4f5a-8b92-9d40fffd99ca"
},
{
"description": "Adups, software pre-installed onto Android devices including those made by BLU Products, reportedly transmitted sensitive data to a Chinese server. The capability was reportedly designed \"to help a Chinese phone manufacturer monitor user behavior\" and \"was not intended for American phones\". (Citation: NYTimes-BackDoor) (Citation: BankInfoSecurity-BackDoor).\n\nAliases: Adups",
"value": "Adups - MOB-S0025",
"meta": {
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0025",
"https://www.nytimes.com/2016/11/16/us/politics/china-phones-software-security.html",
"http://www.bankinfosecurity.com/did-chinese-spyware-linger-in-us-phones-a-9534"
],
"synonyms": [
"Adups"
]
},
"uuid": "f6ac21b6-2592-400c-8472-10d0e2f1bfaf"
},
{
"description": "Discovered by Lookout (Citation: Lookout-Pegasus) and Citizen Lab (Citation: PegasusCitizenLab), Pegasus escalates privileges on iOS devices and uses its privileged access to collect a variety of sensitive information.\n\nAliases: Pegasus",
"value": "Pegasus - MOB-S0005",
"meta": {
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0005",
"https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf",
"https://citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/"
],
"synonyms": [
"Pegasus"
]
},
"uuid": "33d9d91d-aad9-49d5-a516-220ce101ac8a"
},
{
"description": "RuMMS is a family of Android malware (Citation: FireEye-RuMMS).\n\nAliases: RuMMS",
"value": "RuMMS - MOB-S0029",
"meta": {
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0029",
"https://www.fireeye.com/blog/threat-research/2016/04/rumms-android-malware.html"
],
"synonyms": [
"RuMMS"
]
},
"uuid": "936be60d-90eb-4c36-9247-4b31128432c4"
},
{
"description": "HummingBad is a family of Android malware that generates fraudulent advertising revenue and has the ability to obtain root access on older, vulnerable versions of Android (Citation: ArsTechnica-HummingBad).\n\nAliases: HummingBad",
"value": "HummingBad - MOB-S0038",
"meta": {
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0038",
"http://arstechnica.com/security/2016/07/virulent-auto-rooting-malware-takes-control-of-10-million-android-devices/"
],
"synonyms": [
"HummingBad"
]
},
"uuid": "c8770c81-c29f-40d2-a140-38544206b2b4"
},
{
"description": "Android malware described by Kaspersky (Citation: Kaspersky-MobileMalware).\n\nAliases: Trojan-SMS.AndroidOS.OpFake.a",
"value": "Trojan-SMS.AndroidOS.OpFake.a - MOB-S0024",
"meta": {
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0024",
"https://securelist.com/analysis/kaspersky-security-bulletin/58335/mobile-malware-evolution-2013/"
],
"synonyms": [
"Trojan-SMS.AndroidOS.OpFake.a"
]
},
"uuid": "d89c132d-7752-4c7f-9372-954a71522985"
},
{
"description": "Android malware family analyzed by Lookout (Citation: Lookout-Dendroid).\n\nAliases: Dendroid",
"value": "Dendroid - MOB-S0017",
"meta": {
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0017",
"https://blog.lookout.com/blog/2014/03/06/dendroid/"
],
"synonyms": [
"Dendroid"
]
},
"uuid": "317a2c10-d489-431e-b6b2-f0251fddc88e"
},
{
"description": "Android malware analyzed by Scandinavian security group CSIS as described in a Tripwire post (Citation: Tripwire-MazarBOT).\n\nAliases: MazarBOT",
"value": "MazarBOT - MOB-S0019",
"meta": {
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0019",
"https://www.tripwire.com/state-of-security/security-data-protection/android-malware-sms/"
],
"synonyms": [
"MazarBOT"
]
},
"uuid": "5ddf81ea-2c06-497b-8c30-5f1ab89a40f9"
},
{
"description": "The (Citation: Gooligan) malware family, revealed by Check Point, runs privilege escalation exploits on Android devices and then uses its escalated privileges to steal \"authentication tokens that can be used to access data from Google Play, Gmail, Google Photos, Google Docs, G Suite, Google Drive, and more.\" (Citation: Gooligan)\n\nGoogle (Citation: Ludwig-GhostPush) and LookoutLookout- (Citation: Gooligan) describe (Citation: Gooligan) as part of the Ghost Push Android malware family.\n\nAliases: (Citation: Gooligan)",
"value": "Gooligan - MOB-S0006",
"meta": {
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0006",
"http://blog.checkpoint.com/2016/11/30/1-million-google-accounts-breached-gooligan/",
"https://plus.google.com/+AdrianLudwig/posts/GXzJ8vaAFsi"
],
"synonyms": [
"Gooligan"
]
},
"uuid": "20d56cd6-8dff-4871-9889-d32d254816de"
},
{
"description": "OldBoot is a family of Android malware described in a report from The Hacker News (Citation: HackerNews-OldBoot).\n\nAliases: OldBoot",
"value": "OldBoot - MOB-S0001",
"meta": {
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0001",
"http://thehackernews.com/2014/01/first-widely-distributed-android.html"
],
"synonyms": [
"OldBoot"
]
},
"uuid": "2074b2ad-612e-4758-adce-7901c1b49bbc"
},
{
"description": "WireLurker is a family of macOS malware that targets iOS devices connected over USB (Citation: PaloAlto-WireLurker).\n\nAliases: WireLurker",
"value": "WireLurker - MOB-S0028",
"meta": {
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0028"
],
"synonyms": [
"WireLurker"
]
},
"uuid": "326eaf7b-5784-4f08-8fc2-61fd5d5bc5fb"
},
{
"description": "Android remote access trojan (RAT) that has been observed to pose as legitimate applications including the Super Mario Run (Citation: Zscaler-SuperMarioRun) and Pokemon GO games (Citation: Proofpoint-Droidjack).\n\nAliases: DroidJack RAT",
"value": "DroidJack RAT - MOB-S0036",
"meta": {
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0036",
"https://www.zscaler.com/blogs/research/super-mario-run-malware-2--droidjack-rat",
"https://www.proofpoint.com/us/threat-insight/post/droidjack-uses-side-load-backdoored-pokemon-go-android-app"
],
"synonyms": [
"DroidJack RAT"
]
},
"uuid": "05c4f87c-be8f-46ea-8d9a-2a0aad8f52c1"
},
{
"description": "The HummingWhale Android malware family \"includes new virtual machine techniques that allow the malware to perform ad fraud better than ever\". (Citation: ArsTechnica-HummingWhale)\n\nAliases: HummingWhale",
"value": "HummingWhale - MOB-S0037",
"meta": {
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0037",
"http://arstechnica.com/security/2017/01/virulent-android-malware-returns-gets-2-million-downloads-on-google-play/"
],
"synonyms": [
"HummingWhale"
]
},
"uuid": "6447e3a1-ef4d-44b1-99d5-6b1c4888674f"
},
{
"description": "ANDROIDOS_ANSERVER.A is Android malware novel for using encrypted content within a blog site for command and control (Citation: TrendMicro-Anserver).\n\nAliases: ANDROIDOS_ANSERVER.A",
"value": "ANDROIDOS_ANSERVER.A - MOB-S0026",
"meta": {
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0026",
"http://blog.trendmicro.com/trendlabs-security-intelligence/android-malware-uses-blog-posts-as-cc/"
],
"synonyms": [
"ANDROIDOS_ANSERVER.A"
]
},
"uuid": "4bf6ba32-4165-42c1-b911-9c36165891c8"
},
{
"description": "Android malware described by Kaspersky (Citation: Kaspersky-MobileMalware).\n\nAliases: Trojan-SMS.AndroidOS.FakeInst.a",
"value": "Trojan-SMS.AndroidOS.FakeInst.a - MOB-S0022",
"meta": {
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0022",
"https://securelist.com/analysis/kaspersky-security-bulletin/58335/mobile-malware-evolution-2013/"
],
"synonyms": [
"Trojan-SMS.AndroidOS.FakeInst.a"
]
},
"uuid": "28e39395-91e7-4f02-b694-5e079c964da9"
},
{
"description": "Android malware family analyzed by Lookout (Citation: Lookout-NotCompatible)\n\nAliases: NotCompatible",
"value": "NotCompatible - MOB-S0015",
"meta": {
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0015",
"https://blog.lookout.com/blog/2014/11/19/notcompatible/"
],
"synonyms": [
"NotCompatible"
]
},
"uuid": "23040c15-e7d8-47b5-8c16-8fd3e0e297fe"
},
{
"description": "The X-Agent Android malware was placed in a repackaged version of a Ukrainian artillery targeting application. The malware reportedly retrieved general location data for where it was used and hence the potential location of Ukrainian artillery (Citation: CrowdStrike-Android).\n\nAliases: X-Agent",
"value": "X-Agent - MOB-S0030",
"meta": {
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0030",
"https://www.crowdstrike.com/wp-content/brochures/FancyBearTracksUkrainianArtillery.pdf"
],
"synonyms": [
"X-Agent"
]
},
"uuid": "56660521-6db4-4e5a-a927-464f22954b7c"
},
{
"description": "Twitoor is a family of Android malware described by ESET (Citation: ESET-Twitoor).\n\nAliases: Twitoor",
"value": "Twitoor - MOB-S0018",
"meta": {
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0018",
"http://www.welivesecurity.com/2016/08/24/first-twitter-controlled-android-botnet-discovered/"
],
"synonyms": [
"Twitoor"
]
},
"uuid": "41e3fd01-7b83-471f-835d-d2b1dc9a770c"
},
{
"description": "OBAD is a family of Android malware (Citation: TrendMicro-Obad).\n\nAliases: OBAD",
"value": "OBAD - MOB-S0002",
"meta": {
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0002",
"http://blog.trendmicro.com/trendlabs-security-intelligence/cybercriminals-improve-android-malware-stealth-routines-with-obad/"
],
"synonyms": [
"OBAD"
]
},
"uuid": "ca4f63b9-a358-4214-bb26-8c912318cfde"
},
{
"description": "As reported by Kaspersky (Citation: Kaspersky-WUC), a spear phishing message was sent to activist groups containing a malicious Android application as an attachment.\n\nAliases: Android/Chuli.A",
"value": "Android/Chuli.A - MOB-S0020",
"meta": {
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0020",
"https://securelist.com/blog/incidents/35552/android-trojan-found-in-targeted-attack-58/"
],
"synonyms": [
"Android/Chuli.A"
]
},
"uuid": "d05f7357-4cbe-47ea-bf83-b8604226d533"
},
{
"description": "According to Lookout (Citation: Lookout-EnterpriseApps), the PJApps Android malware family \"may collect and leak the victims phone number, mobile device unique identifier (IMEI), and location. In order to make money, it may send messages to premium SMS numbers. PJApps also has the ability to download further applications to the device.\"\n\nAliases: PJApps",
"value": "PJApps - MOB-S0007",
"meta": {
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0007",
"https://blog.lookout.com/blog/2016/05/25/spoofed-apps/"
],
"synonyms": [
"PJApps"
]
},
"uuid": "c709da93-20c3-4d17-ab68-48cba76b2137"
},
{
"description": "Android malware analyzed by FireEye (Citation: FireEye-AndroidOverlay).\nAccording to their analysis, \"three campaigns in Europe used view overlay techniques...to present nearly identical credential input UIs as seen in benign apps, subsequently tricking unwary users into providing their banking credentials.\"\n\nAliases: AndroidOverlayMalware",
"value": "AndroidOverlayMalware - MOB-S0012",
"meta": {
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0012",
"https://www.fireeye.com/blog/threat-research/2016/06/latest-android-overlay-malware-spreading-in-europe.html"
],
"synonyms": [
"AndroidOverlayMalware"
]
},
"uuid": "b6d3657a-2d6a-400f-8b7e-4d60391aa1f7"
},
{
"description": "As described by Palo Alto Networks (Citation: ZergHelper), the (Citation: ZergHelper) app uses techniques to evade Apple's App Store review process for itself and uses techniques to install additional applications that are not in Apple's App Store.\n\nAliases: (Citation: ZergHelper)",
"value": "ZergHelper - MOB-S0003",
"meta": {
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0003",
"http://researchcenter.paloaltonetworks.com/2016/02/pirated-ios-app-stores-client-successfully-evaded-apple-ios-code-review/"
],
"synonyms": [
"ZergHelper"
]
},
"uuid": "3c3b55a6-c3e9-4043-8aae-283fe96220c0"
},
{
"description": "SpyNote RAT (Citation: Zscaler-SpyNote) (Remote Access Trojan) is a family of malicious Android apps. The \"SpyNote RAT builder\" tool can be used to develop malicious apps with the SpyNote RAT functionality.\n\nAliases: SpyNote RAT",
"value": "SpyNote RAT - MOB-S0021",
"meta": {
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0021",
"https://www.zscaler.com/blogs/research/spynote-rat-posing-netflix-app"
],
"synonyms": [
"SpyNote RAT"
]
},
"uuid": "20dbaf05-59b8-4dc6-8777-0b17f4553a23"
},
{
"description": " (Citation: RCSAndroid) (Citation: RCSAndroid) is Android malware allegedly distributed by Hacking Team.\n\nAliases: (Citation: RCSAndroid)",
"value": "RCSAndroid - MOB-S0011",
"meta": {
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0011",
"https://github.com/hackedteam/core-android/tree/master/RCSAndroid"
],
"synonyms": [
"RCSAndroid"
]
},
"uuid": "363bc05d-13cb-4e98-a5b7-e250f2bbdc2b"
},
{
"description": "The Charger Android malware steals \"steals contacts and SMS messages from the user's device\". It also \"asks for admin permissions\" and \"[i]f granted, the ransomware locks the device and displays a message demanding payment\". (Citation: CheckPoint-Charger)\n\nAliases: Charger",
"value": "Charger - MOB-S0039",
"meta": {
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0039",
"http://blog.checkpoint.com/2017/01/24/charger-malware/"
],
"synonyms": [
"Charger"
]
},
"uuid": "d1c600f8-0fb6-4367-921b-85b71947d950"
},
{
"description": "iOS malware that \"is different from previous seen iOS malware in that it attacks both jailbroken and non-jailbroken iOS devices\" and \"abuses private APIs in the iOS system to implement malicious functionalities\" (Citation: PaloAlto-YiSpecter).\n\nAliases: YiSpecter",
"value": "YiSpecter - MOB-S0027",
"meta": {
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0027"
],
"synonyms": [
"YiSpecter"
]
},
"uuid": "a15c9357-2be0-4836-beec-594f28b9b4a9"
},
{
"description": "Discovered and analyzed by Lookout (Citation: Lookout-PegasusAndroid) and Google (Citation: Google-Chrysaor), Pegasus for Android (also known as Chrysaor) is spyware that was used in targeted attacks. Pegasus for Android does not use zero day vulnerabilities. It attempts to escalate privileges using well-known vulnerabilities, and even if the attempts fail, it still performs some subset of spyware functions that do not require escalated privileges.\n\nAliases: Pegasus for Android, Chrysaor",
"value": "Pegasus for Android - MOB-S0032",
"meta": {
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0032",
"https://blog.lookout.com/blog/2017/04/03/pegasus-android/",
"https://android-developers.googleblog.com/2017/04/an-investigation-of-chrysaor-malware-on.html"
],
"synonyms": [
"Pegasus for Android",
"Chrysaor"
]
},
"uuid": "93799a9d-3537-43d8-b6f4-17215de1657c"
},
{
"description": "iOS malware analyzed by Palo Alto Networks (Citation: (Citation: PaloAlto-XcodeGhost)1) (Citation: PaloAlto-XcodeGhost)\n\nAliases: XcodeGhost",
"value": "XcodeGhost - MOB-S0013",
"meta": {
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0013",
"http://researchcenter.paloaltonetworks.com/2015/09/novel-malware-xcodeghost-modifies-xcode-infects-apple-ios-apps-and-hits-app-store/",
"http://researchcenter.paloaltonetworks.com/2015/09/update-xcodeghost-attacker-can-phish-passwords-and-open-urls-though-infected-apps/"
],
"synonyms": [
"XcodeGhost"
]
},
"uuid": "d9e07aea-baad-4b68-bdca-90c77647d7f9"
}
]
}