{"description": "Mobile techniques used by Hornbill, ATT&CK software S1077 (v1.0)", "name": "Hornbill (S1077)", "domain": "mobile-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1626", "showSubtechniques": true}, {"techniqueID": "T1626.001", "comment": "[Hornbill](https://attack.mitre.org/software/S1077) can request device administrator privileges.(Citation: lookout_hornbill_sunbird_0221)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1517", "comment": "[Hornbill](https://attack.mitre.org/software/S1077) has monitored for SMS and WhatsApp notifications.(Citation: lookout_hornbill_sunbird_0221)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1437", "showSubtechniques": true}, {"techniqueID": "T1437.001", "comment": "[Hornbill](https://attack.mitre.org/software/S1077) can use HTTP and HTTP POST to communicate information to the C2.(Citation: lookout_hornbill_sunbird_0221)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1429", "comment": "[Hornbill](https://attack.mitre.org/software/S1077) can record environmental and call audio.(Citation: lookout_hornbill_sunbird_0221)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1533", "comment": "[Hornbill](https://attack.mitre.org/software/S1077) can access images stored on external storage.(Citation: lookout_hornbill_sunbird_0221)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1646", "comment": "[Hornbill](https://attack.mitre.org/software/S1077) can exfiltrate data back to the C2 server using HTTP.(Citation: lookout_hornbill_sunbird_0221) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1420", "comment": "[Hornbill](https://attack.mitre.org/software/S1077) has a list of file extensions that it may use to log certain operations (creation, open, close, modification, movement, deletion) on files of those types.(Citation: lookout_hornbill_sunbird_0221)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1628", "showSubtechniques": true}, {"techniqueID": "T1628.002", "comment": "[Hornbill](https://attack.mitre.org/software/S1077) uses an infrequent data upload schedule to avoid user detection and battery drain. It also can delete on-device data after being sent to the C2, and stores collected data in hidden folders on external storage.(Citation: lookout_hornbill_sunbird_0221)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1630", "showSubtechniques": true}, {"techniqueID": "T1630.002", "comment": "[Hornbill](https://attack.mitre.org/software/S1077) can delete locally gathered files after uploading them to the C2 to avoid suspicion.(Citation: lookout_hornbill_sunbird_0221) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1430", "comment": "[Hornbill](https://attack.mitre.org/software/S1077) can access a device\u2019s location and check if GPS is enabled. [Hornbill](https://attack.mitre.org/software/S1077) has logic to only log location changes greater than 70 meters.(Citation: lookout_hornbill_sunbird_0221)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1655", "showSubtechniques": true}, {"techniqueID": "T1655.001", "comment": "[Hornbill](https://attack.mitre.org/software/S1077) has impersonated chat applications such as Fruit Chat, Cucu Chat, and Kako Chat.(Citation: lookout_hornbill_sunbird_0221) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1636", "showSubtechniques": true}, {"techniqueID": "T1636.002", "comment": "[Hornbill](https://attack.mitre.org/software/S1077) can gather device call logs.(Citation: lookout_hornbill_sunbird_0221)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1636.003", "comment": "[Hornbill](https://attack.mitre.org/software/S1077) can collect device contacts.(Citation: lookout_hornbill_sunbird_0221)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1513", "comment": "[Hornbill](https://attack.mitre.org/software/S1077) can take screenshots and can abuse accessibility services to scrape WhatsApp messages, contacts, and notifications.(Citation: lookout_hornbill_sunbird_0221)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1418", "comment": "[Hornbill](https://attack.mitre.org/software/S1077) can search for installed applications such as WhatsApp.(Citation: lookout_hornbill_sunbird_0221) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1409", "comment": "[Hornbill](https://attack.mitre.org/software/S1077) can collect voice notes and messages from WhatsApp, if installed.(Citation: lookout_hornbill_sunbird_0221)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1426", "comment": "[Hornbill](https://attack.mitre.org/software/S1077) can collect the device ID, model, manufacturer, and Android version. It can also check available storage space and if the screen is locked.(Citation: lookout_hornbill_sunbird_0221)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1422", "comment": "[Hornbill](https://attack.mitre.org/software/S1077) can collect a device's phone number and IMEI, and can check to see if WiFi is enabled.(Citation: lookout_hornbill_sunbird_0221)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1422.001", "comment": "[Hornbill](https://attack.mitre.org/software/S1077) can collect a device's phone number and IMEI, and can check to see if WiFi is enabled.(Citation: lookout_hornbill_sunbird_0221)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1422.002", "comment": "[Hornbill](https://attack.mitre.org/software/S1077) can collect a device's phone number and IMEI, and can check to see if Wi-Fi is enabled.(Citation: lookout_hornbill_sunbird_0221)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1512", "comment": "[Hornbill](https://attack.mitre.org/software/S1077) can access a device\u2019s camera and take photos.(Citation: lookout_hornbill_sunbird_0221)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Hornbill", "color": "#66b1ff"}]}