{"description": "Mobile techniques used by Cerberus, ATT&CK software S0480 (v1.1)", "name": "Cerberus (S0480)", "domain": "mobile-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1437", "showSubtechniques": true}, {"techniqueID": "T1437.001", "comment": "[Cerberus](https://attack.mitre.org/software/S0480) communicates with the C2 server using HTTP.(Citation: CheckPoint Cerberus)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1407", "comment": "[Cerberus](https://attack.mitre.org/software/S0480) can update the malicious payload module on command.(Citation: Threat Fabric Cerberus)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1628", "showSubtechniques": true}, {"techniqueID": "T1628.001", "comment": "[Cerberus](https://attack.mitre.org/software/S0480) hides its icon from the application drawer after being launched for the first time.(Citation: Threat Fabric Cerberus)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1629", "showSubtechniques": true}, {"techniqueID": "T1629.003", "comment": "[Cerberus](https://attack.mitre.org/software/S0480) disables Google Play Protect to prevent its discovery and deletion in the future.(Citation: Threat Fabric Cerberus)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1630", "showSubtechniques": true}, {"techniqueID": "T1630.001", "comment": "[Cerberus](https://attack.mitre.org/software/S0480) can uninstall itself from a device on command.(Citation: Threat Fabric Cerberus)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1417", "showSubtechniques": true}, {"techniqueID": "T1417.001", "comment": "[Cerberus](https://attack.mitre.org/software/S0480) can record keystrokes.(Citation: Threat Fabric Cerberus)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1417.002", "comment": "[Cerberus](https://attack.mitre.org/software/S0480) can generate fake notifications and launch overlay attacks against attacker-specified applications.(Citation: Threat Fabric Cerberus)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1516", "comment": "[Cerberus](https://attack.mitre.org/software/S0480) can inject input to grant itself additional permissions without user interaction and to prevent application removal.(Citation: Threat Fabric Cerberus)(Citation: CheckPoint Cerberus)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1430", "comment": "[Cerberus](https://attack.mitre.org/software/S0480) can collect the device\u2019s location.(Citation: Threat Fabric Cerberus)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1655", "showSubtechniques": true}, {"techniqueID": "T1655.001", "comment": "[Cerberus](https://attack.mitre.org/software/S0480) has pretended to be an Adobe Flash Player installer.(Citation: Forbes Cerberus)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1509", "comment": "[Cerberus](https://attack.mitre.org/software/S0480) communicates with the C2 using HTTP requests over port 8888.(Citation: CheckPoint Cerberus)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1406", "comment": "[Cerberus](https://attack.mitre.org/software/S0480) uses standard payload and string obfuscation techniques.(Citation: Threat Fabric Cerberus)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1636", "showSubtechniques": true}, {"techniqueID": "T1636.003", "comment": "[Cerberus](https://attack.mitre.org/software/S0480) can obtain the device\u2019s contact list.(Citation: Threat Fabric Cerberus)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1636.004", "comment": "[Cerberus](https://attack.mitre.org/software/S0480) can collect SMS messages from a device.(Citation: Threat Fabric Cerberus)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1582", "comment": "[Cerberus](https://attack.mitre.org/software/S0480) can send SMS messages from a device.(Citation: Threat Fabric Cerberus)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1418", "comment": "[Cerberus](https://attack.mitre.org/software/S0480) can obtain a list of installed applications.(Citation: Threat Fabric Cerberus)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1426", "comment": "[Cerberus](https://attack.mitre.org/software/S0480) can collect device information, such as the default SMS app and device locale.(Citation: Threat Fabric Cerberus)(Citation: CheckPoint Cerberus)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1633", "showSubtechniques": true}, {"techniqueID": "T1633.001", "comment": "[Cerberus](https://attack.mitre.org/software/S0480) avoids being analyzed by only activating the malware after recording a certain number of steps from the accelerometer.(Citation: Threat Fabric Cerberus)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Cerberus", "color": "#66b1ff"}]}