{"description": "Mobile techniques used by Mandrake, ATT&CK software S0485 (v1.0)", "name": "Mandrake (S0485)", "domain": "mobile-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1517", "comment": "[Mandrake](https://attack.mitre.org/software/S0485) can capture all device notifications and hide notifications from the user.(Citation: Bitdefender Mandrake)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1407", "comment": "[Mandrake](https://attack.mitre.org/software/S0485) can download its second (Loader) and third (Core) stages after the dropper is installed.(Citation: Bitdefender Mandrake)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1637", "showSubtechniques": true}, {"techniqueID": "T1637.001", "comment": "[Mandrake](https://attack.mitre.org/software/S0485) has used domain generation algorithms.(Citation: Bitdefender Mandrake)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1541", "comment": "[Mandrake](https://attack.mitre.org/software/S0485) uses foreground persistence to keep a service running. It shows the user a transparent notification to evade detection.(Citation: Bitdefender Mandrake)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1628", "showSubtechniques": true}, {"techniqueID": "T1628.001", "comment": "[Mandrake](https://attack.mitre.org/software/S0485) can hide its icon on older Android versions.(Citation: Bitdefender Mandrake)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1629", "showSubtechniques": true}, {"techniqueID": "T1629.001", "comment": "[Mandrake](https://attack.mitre.org/software/S0485) can abuse device administrator permissions to ensure that it cannot be uninstalled until its permissions are revoked.(Citation: Bitdefender Mandrake)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1629.003", "comment": "[Mandrake](https://attack.mitre.org/software/S0485) can disable Play Protect.(Citation: Bitdefender Mandrake)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1630", "showSubtechniques": true}, {"techniqueID": "T1630.002", "comment": "[Mandrake](https://attack.mitre.org/software/S0485) can delete all data from an infected device.(Citation: Bitdefender Mandrake)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1544", "comment": "[Mandrake](https://attack.mitre.org/software/S0485) can install attacker-specified components or applications.(Citation: Bitdefender Mandrake)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1417", "showSubtechniques": true}, {"techniqueID": "T1417.002", "comment": "[Mandrake](https://attack.mitre.org/software/S0485) can manipulate visual components to trick the user into granting dangerous permissions, and can use phishing overlays and JavaScript injection to capture credentials.(Citation: Bitdefender Mandrake)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1516", "comment": "[Mandrake](https://attack.mitre.org/software/S0485) abuses the accessibility service to prevent removing administrator permissions, accessibility permissions, and to set itself as the default SMS handler.(Citation: Bitdefender Mandrake)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1430", "comment": "[Mandrake](https://attack.mitre.org/software/S0485) can collect the device\u2019s location.(Citation: Bitdefender Mandrake)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1655", "showSubtechniques": true}, {"techniqueID": "T1655.001", "comment": "[Mandrake](https://attack.mitre.org/software/S0485) can mimic an app called \u201cStorage Settings\u201d if it cannot hide its icon.(Citation: Bitdefender Mandrake)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1509", "comment": "[Mandrake](https://attack.mitre.org/software/S0485) has communicated with the C2 server over TCP port 7777.(Citation: Bitdefender Mandrake)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1406", "comment": "[Mandrake](https://attack.mitre.org/software/S0485) obfuscates its hardcoded C2 URLs.(Citation: Bitdefender Mandrake)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1636", "showSubtechniques": true}, {"techniqueID": "T1636.003", "comment": "[Mandrake](https://attack.mitre.org/software/S0485) can access the device\u2019s contact list.(Citation: Bitdefender Mandrake)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1636.004", "comment": "[Mandrake](https://attack.mitre.org/software/S0485) can access SMS messages.(Citation: Bitdefender Mandrake)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1513", "comment": "[Mandrake](https://attack.mitre.org/software/S0485) can record the screen.(Citation: Bitdefender Mandrake)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1582", "comment": "[Mandrake](https://attack.mitre.org/software/S0485) can block, forward, hide, and send SMS messages.(Citation: Bitdefender Mandrake)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1418", "comment": "[Mandrake](https://attack.mitre.org/software/S0485) can obtain a list of installed applications.(Citation: Bitdefender Mandrake)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1409", "comment": "[Mandrake](https://attack.mitre.org/software/S0485) can collect all accounts stored on the device.(Citation: Bitdefender Mandrake)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1632", "showSubtechniques": true}, {"techniqueID": "T1632.001", "comment": "[Mandrake](https://attack.mitre.org/software/S0485) can enable app installation from unknown sources.(Citation: Bitdefender Mandrake)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1426", "comment": "[Mandrake](https://attack.mitre.org/software/S0485) can access device configuration information and status, including Android version, battery level, device model, country, and SIM operator.(Citation: Bitdefender Mandrake)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1633", "showSubtechniques": true}, {"techniqueID": "T1633.001", "comment": "[Mandrake](https://attack.mitre.org/software/S0485) can evade automated analysis environments by requiring a CAPTCHA on launch that will prevent the application from running if not passed. It also checks for indications that it is running in an emulator.(Citation: Bitdefender Mandrake)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1481", "showSubtechniques": true}, {"techniqueID": "T1481.002", "comment": "[Mandrake](https://attack.mitre.org/software/S0485) has used Firebase for C2.(Citation: Bitdefender Mandrake)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Mandrake", "color": "#66b1ff"}]}