{"description": "Mobile techniques used by S.O.V.A., ATT&CK software S1062 (v1.0)", "name": "S.O.V.A. (S1062)", "domain": "mobile-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1517", "comment": "[S.O.V.A.](https://attack.mitre.org/software/S1062) can silently intercept and manipulate notifications. [S.O.V.A.](https://attack.mitre.org/software/S1062) can also inject cookies via push notifications.(Citation: threatfabric_sova_0921)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1638", "comment": "[S.O.V.A.](https://attack.mitre.org/software/S1062) has included adversary-in-the-middle capabilities.(Citation: threatfabric_sova_0921)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1437", "showSubtechniques": true}, {"techniqueID": "T1437.001", "comment": "[S.O.V.A.](https://attack.mitre.org/software/S1062) can use the open-source project RetroFit for C2 communication.(Citation: threatfabric_sova_0921)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1471", "comment": "[S.O.V.A.](https://attack.mitre.org/software/S1062) has code to encrypt device data with AES.(Citation: cleafy_sova_1122)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1641", "showSubtechniques": true}, {"techniqueID": "T1641.001", "comment": "[S.O.V.A.](https://attack.mitre.org/software/S1062) can manipulate clipboard data to replace cryptocurrency addresses.(Citation: threatfabric_sova_0921)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1628", "showSubtechniques": true}, {"techniqueID": "T1628.001", "comment": "[S.O.V.A.](https://attack.mitre.org/software/S1062) can hide its application icon.(Citation: threatfabric_sova_0921)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1629", "showSubtechniques": true}, {"techniqueID": "T1629.001", "comment": "[S.O.V.A.](https://attack.mitre.org/software/S1062) can resist removal by going to the home screen during uninstall.(Citation: threatfabric_sova_0921)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1630", "showSubtechniques": true}, {"techniqueID": "T1630.001", "comment": "[S.O.V.A.](https://attack.mitre.org/software/S1062) can uninstall itself.(Citation: threatfabric_sova_0921)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1417", "showSubtechniques": true}, {"techniqueID": "T1417.001", "comment": "[S.O.V.A.](https://attack.mitre.org/software/S1062) can use keylogging to capture user input.(Citation: threatfabric_sova_0921)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1417.002", "comment": "[S.O.V.A.](https://attack.mitre.org/software/S1062) can use overlays capture banking credentials and credit card information, and can open arbitrary WebViews from the C2.(Citation: threatfabric_sova_0921)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1516", "comment": "[S.O.V.A.](https://attack.mitre.org/software/S1062) can programmatically tap the screen or swipe.(Citation: cleafy_sova_1122)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1464", "comment": "[S.O.V.A.](https://attack.mitre.org/software/S1062) has C2 commands to add an infected device to a DDoS pool.(Citation: threatfabric_sova_0921)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1406", "showSubtechniques": true}, {"techniqueID": "T1406.002", "comment": "[S.O.V.A.](https://attack.mitre.org/software/S1062) has been distributed in obfuscated and packed form.(Citation: threatfabric_sova_0921)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1636", "showSubtechniques": true}, {"techniqueID": "T1636.004", "comment": "[S.O.V.A.](https://attack.mitre.org/software/S1062) can intercept and read SMS messages.(Citation: threatfabric_sova_0921)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1513", "comment": "[S.O.V.A.](https://attack.mitre.org/software/S1062) can take screenshots and abuse the Android Screen Cast feature to capture screen data.(Citation: cleafy_sova_1122)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1582", "comment": "[S.O.V.A.](https://attack.mitre.org/software/S1062) can send SMS messages.(Citation: threatfabric_sova_0921)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1418", "comment": "[S.O.V.A.](https://attack.mitre.org/software/S1062) can search for installed applications that match a list of targets.(Citation: cleafy_sova_1122)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1409", "comment": "[S.O.V.A.](https://attack.mitre.org/software/S1062) can gather session cookies from infected devices. [S.O.V.A.](https://attack.mitre.org/software/S1062) can also abuse Accessibility Services to steal Google Authenticator tokens.(Citation: threatfabric_sova_0921)(Citation: cleafy_sova_1122)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1426", "comment": "[S.O.V.A.](https://attack.mitre.org/software/S1062) can gather data about the device.(Citation: threatfabric_sova_0921)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by S.O.V.A.", "color": "#66b1ff"}]}