{"description": "Mobile techniques used by BrainTest, ATT&CK software S0293 (v1.0)", "name": "BrainTest (S0293)", "domain": "mobile-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1645", "comment": "[BrainTest](https://attack.mitre.org/software/S0293) uses root privileges (if available) to copy an additional Android app package (APK) to /system/priv-app to maintain persistence even after a factory reset.(Citation: Lookout-BrainTest)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1407", "comment": "Original samples of [BrainTest](https://attack.mitre.org/software/S0293) download their exploit packs for rooting from a remote server after installation.(Citation: Lookout-BrainTest)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1404", "comment": "Some original variants of [BrainTest](https://attack.mitre.org/software/S0293) had the capability to automatically root some devices, but that behavior was not observed in later samples.(Citation: Lookout-BrainTest)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1643", "comment": "[BrainTest](https://attack.mitre.org/software/S0293) provided capabilities that allowed developers to use compromised devices to post positive reviews on their own malicious applications as well as download other malicious applications they had submitted to the Play Store.(Citation: Lookout-BrainTest)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1406", "comment": "[BrainTest](https://attack.mitre.org/software/S0293) stores a secondary Android app package (APK) in its assets directory in encrypted form, and decrypts the payload at runtime.(Citation: Lookout-BrainTest)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by BrainTest", "color": "#66b1ff"}]}