{"description": "Mobile techniques used by Anubis, ATT&CK software S0422 (v1.3)", "name": "Anubis (S0422)", "domain": "mobile-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1532", "comment": "[Anubis](https://attack.mitre.org/software/S0422) exfiltrates data encrypted (with RC4) by its ransomware module.(Citation: Cofense Anubis)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1429", "comment": "[Anubis](https://attack.mitre.org/software/S0422) can record phone calls and audio.(Citation: Cofense Anubis)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1616", "comment": "[Anubis](https://attack.mitre.org/software/S0422) can make phone calls.(Citation: Cofense Anubis)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1471", "comment": "[Anubis](https://attack.mitre.org/software/S0422) can use its ransomware module to encrypt device data and hold it for ransom.(Citation: Cofense Anubis)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1533", "comment": "[Anubis](https://attack.mitre.org/software/S0422) can exfiltrate files encrypted with the ransomware module from the device and can modify external storage.(Citation: Cofense Anubis)(Citation: Trend Micro Anubis) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1407", "comment": "[Anubis](https://attack.mitre.org/software/S0422) can download attacker-specified APK files.(Citation: Trend Micro Anubis)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1629", "showSubtechniques": true}, {"techniqueID": "T1629.001", "comment": "[Anubis](https://attack.mitre.org/software/S0422) may prevent malware's uninstallation by abusing Android\u2019s ` performGlobalAction(int)` API call.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1629.003", "comment": "[Anubis](https://attack.mitre.org/software/S0422) can modify administrator settings and disable Play Protect.(Citation: Cofense Anubis)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1417", "showSubtechniques": true}, {"techniqueID": "T1417.001", "comment": "[Anubis](https://attack.mitre.org/software/S0422) has a keylogger that works in every application installed on the device.(Citation: Cofense Anubis)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1417.002", "comment": "[Anubis](https://attack.mitre.org/software/S0422) can create overlays to capture user credentials for targeted applications.(Citation: Cofense Anubis)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1430", "comment": "[Anubis](https://attack.mitre.org/software/S0422) can retrieve the device\u2019s GPS location.(Citation: Cofense Anubis)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1655", "showSubtechniques": true}, {"techniqueID": "T1655.001", "comment": "[Anubis](https://attack.mitre.org/software/S0422) has requested accessibility service privileges while masquerading as \"Google Play Protect\" and has disguised additional malicious application installs as legitimate system updates.(Citation: Cofense Anubis)(Citation: Trend Micro Anubis)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1424", "comment": "[Anubis](https://attack.mitre.org/software/S0422) can collect a list of running processes.(Citation: Zimperium z9)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1636", "showSubtechniques": true}, {"techniqueID": "T1636.003", "comment": "[Anubis](https://attack.mitre.org/software/S0422) can steal the device\u2019s contact list.(Citation: Cofense Anubis) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1513", "comment": "[Anubis](https://attack.mitre.org/software/S0422) can take screenshots.(Citation: Cofense Anubis)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1582", "comment": "[Anubis](https://attack.mitre.org/software/S0422) can send, receive, and delete SMS messages.(Citation: Cofense Anubis)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1418", "comment": "[Anubis](https://attack.mitre.org/software/S0422) can collect a list of installed applications to compare to a list of targeted applications.(Citation: Cofense Anubis)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1426", "comment": "[Anubis](https://attack.mitre.org/software/S0422) can collect the device\u2019s ID.(Citation: Cofense Anubis)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1633", "showSubtechniques": true}, {"techniqueID": "T1633.001", "comment": "[Anubis](https://attack.mitre.org/software/S0422) has used motion sensor data  to attempt to determine if it is running in an emulator.(Citation: Trend Micro Anubis)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1481", "showSubtechniques": true}, {"techniqueID": "T1481.001", "comment": "[Anubis](https://attack.mitre.org/software/S0422) can retrieve the C2 address from Twitter and Telegram.(Citation: Cofense Anubis)(Citation: Trend Micro Anubis)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Anubis", "color": "#66b1ff"}]}