{"description": "Mobile techniques used by Red Alert 2.0, ATT&CK software S0539 (v1.0)", "name": "Red Alert 2.0 (S0539)", "domain": "mobile-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1626", "showSubtechniques": true}, {"techniqueID": "T1626.001", "comment": "[Red Alert 2.0](https://attack.mitre.org/software/S0539) can request device administrator permissions.(Citation: Sophos Red Alert 2.0)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1437", "showSubtechniques": true}, {"techniqueID": "T1437.001", "comment": "[Red Alert 2.0](https://attack.mitre.org/software/S0539) has communicated with the C2 using HTTP.(Citation: Sophos Red Alert 2.0)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1407", "comment": "[Red Alert 2.0](https://attack.mitre.org/software/S0539) can download additional overlay templates.(Citation: Sophos Red Alert 2.0)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1417", "showSubtechniques": true}, {"techniqueID": "T1417.002", "comment": "[Red Alert 2.0](https://attack.mitre.org/software/S0539) has used malicious overlays to collect banking credentials.(Citation: Sophos Red Alert 2.0)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1655", "showSubtechniques": true}, {"techniqueID": "T1655.001", "comment": "[Red Alert 2.0](https://attack.mitre.org/software/S0539) has masqueraded as legitimate media player, social media, and VPN applications.(Citation: Sophos Red Alert 2.0)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1509", "comment": "[Red Alert 2.0](https://attack.mitre.org/software/S0539) has communicated with the C2 using HTTP requests over port 7878.(Citation: Sophos Red Alert 2.0)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1406", "comment": "[Red Alert 2.0](https://attack.mitre.org/software/S0539) has stored data embedded in the strings.xml resource file.(Citation: Sophos Red Alert 2.0)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1636", "showSubtechniques": true}, {"techniqueID": "T1636.002", "comment": "[Red Alert 2.0](https://attack.mitre.org/software/S0539) can collect the device\u2019s call log.(Citation: Sophos Red Alert 2.0)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1636.003", "comment": "[Red Alert 2.0](https://attack.mitre.org/software/S0539) can collect the device\u2019s contact list.(Citation: Sophos Red Alert 2.0)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1636.004", "comment": "[Red Alert 2.0](https://attack.mitre.org/software/S0539) can collect SMS messages.(Citation: Sophos Red Alert 2.0)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1582", "comment": "[Red Alert 2.0](https://attack.mitre.org/software/S0539) can send SMS messages.(Citation: Sophos Red Alert 2.0)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1418", "comment": "[Red Alert 2.0](https://attack.mitre.org/software/S0539) can obtain the running application.(Citation: Sophos Red Alert 2.0)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1481", "showSubtechniques": true}, {"techniqueID": "T1481.001", "comment": "[Red Alert 2.0](https://attack.mitre.org/software/S0539) can fetch a backup C2 domain from Twitter if the primary C2 is unresponsive.(Citation: Sophos Red Alert 2.0)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Red Alert 2.0", "color": "#66b1ff"}]}