{"description": "Mobile techniques used by TrickMo, ATT&CK software S0427 (v1.1)", "name": "TrickMo (S0427)", "domain": "mobile-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1437", "showSubtechniques": true}, {"techniqueID": "T1437.001", "comment": "[TrickMo](https://attack.mitre.org/software/S0427) communicates with the C2 by sending JSON objects over unencrypted HTTP requests.(Citation: SecurityIntelligence TrickMo)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1533", "comment": "[TrickMo](https://attack.mitre.org/software/S0427) can steal pictures from the device.(Citation: SecurityIntelligence TrickMo)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1624", "showSubtechniques": true}, {"techniqueID": "T1624.001", "comment": "[TrickMo](https://attack.mitre.org/software/S0427) registers for the `SCREEN_ON` and `SMS_DELIVER` intents to perform actions when the device is unlocked and when the device receives an SMS message.(Citation: SecurityIntelligence TrickMo)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1629", "showSubtechniques": true}, {"techniqueID": "T1629.002", "comment": "[TrickMo](https://attack.mitre.org/software/S0427) can prevent the user from interacting with the UI by showing a WebView with a persistent cursor.(Citation: SecurityIntelligence TrickMo)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1630", "showSubtechniques": true}, {"techniqueID": "T1630.001", "comment": "[TrickMo](https://attack.mitre.org/software/S0427) can uninstall itself from a device on command by abusing the accessibility service.(Citation: SecurityIntelligence TrickMo) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1516", "comment": "[TrickMo](https://attack.mitre.org/software/S0427) can inject input to set itself as the default SMS handler, and to automatically click through pop-ups without giving the user any time to react.(Citation: SecurityIntelligence TrickMo)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1406", "comment": "[TrickMo](https://attack.mitre.org/software/S0427) contains obfuscated function, class, and variable names, and encrypts its shared preferences using Java\u2019s `PBEWithMD5AndDES` algorithm.(Citation: SecurityIntelligence TrickMo)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1644", "comment": "[TrickMo](https://attack.mitre.org/software/S0427) can be controlled via encrypted SMS message.(Citation: SecurityIntelligence TrickMo)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1636", "showSubtechniques": true}, {"techniqueID": "T1636.004", "comment": "[TrickMo](https://attack.mitre.org/software/S0427) can intercept SMS messages.(Citation: SecurityIntelligence TrickMo)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1513", "comment": "[TrickMo](https://attack.mitre.org/software/S0427) can use the `MediaRecorder` class to record the screen when the targeted application is presented to the user, and can abuse accessibility features to record targeted applications to intercept transaction authorization numbers (TANs) and to scrape on-screen text.(Citation: SecurityIntelligence TrickMo)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1582", "comment": "[TrickMo](https://attack.mitre.org/software/S0427) can delete SMS messages.(Citation: SecurityIntelligence TrickMo)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1418", "comment": "[TrickMo](https://attack.mitre.org/software/S0427) can collect a list of installed applications.(Citation: SecurityIntelligence TrickMo)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1426", "comment": "[TrickMo](https://attack.mitre.org/software/S0427) can collect device information such as network operator, model, brand, and OS version.(Citation: SecurityIntelligence TrickMo)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1422", "comment": "[TrickMo](https://attack.mitre.org/software/S0427) can collect device network configuration information such as IMSI, IMEI, and Wi-Fi connection state.(Citation: SecurityIntelligence TrickMo)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1422.001", "comment": "[TrickMo](https://attack.mitre.org/software/S0427) can collect device network configuration information such as IMSI, IMEI, and Wi-Fi connection state.(Citation: SecurityIntelligence TrickMo)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1422.002", "comment": "[TrickMo](https://attack.mitre.org/software/S0427) can collect device network configuration information such as IMSI, IMEI, and Wi-Fi connection state.(Citation: SecurityIntelligence TrickMo)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1633", "showSubtechniques": true}, {"techniqueID": "T1633.001", "comment": "[TrickMo](https://attack.mitre.org/software/S0427) can detect if it is running on a rooted device or an emulator.(Citation: SecurityIntelligence TrickMo)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by TrickMo", "color": "#66b1ff"}]}