| mobile |
T1517 |
Access Notifications |
Mandrake can capture all device notifications and hide notifications from the user. |
| mobile |
T1407 |
Download New Code at Runtime |
Mandrake can download its second (Loader) and third (Core) stages after the dropper is installed. |
| mobile |
T1637 |
Dynamic Resolution |
- |
| mobile |
T1637.001 |
Domain Generation Algorithms |
Mandrake has used domain generation algorithms. |
| mobile |
T1541 |
Foreground Persistence |
Mandrake uses foreground persistence to keep a service running. It shows the user a transparent notification to evade detection. |
| mobile |
T1628 |
Hide Artifacts |
- |
| mobile |
T1628.001 |
Suppress Application Icon |
Mandrake can hide its icon on older Android versions. |
| mobile |
T1629 |
Impair Defenses |
- |
| mobile |
T1629.001 |
Prevent Application Removal |
Mandrake can abuse device administrator permissions to ensure that it cannot be uninstalled until its permissions are revoked. |
| mobile |
T1629.003 |
Disable or Modify Tools |
Mandrake can disable Play Protect. |
| mobile |
T1630 |
Indicator Removal on Host |
- |
| mobile |
T1630.002 |
File Deletion |
Mandrake can delete all data from an infected device. |
| mobile |
T1544 |
Ingress Tool Transfer |
Mandrake can install attacker-specified components or applications. |
| mobile |
T1417 |
Input Capture |
- |
| mobile |
T1417.002 |
GUI Input Capture |
Mandrake can manipulate visual components to trick the user into granting dangerous permissions, and can use phishing overlays and JavaScript injection to capture credentials. |
| mobile |
T1516 |
Input Injection |
Mandrake abuses the accessibility service to prevent removing administrator permissions, accessibility permissions, and to set itself as the default SMS handler. |
| mobile |
T1430 |
Location Tracking |
Mandrake can collect the device’s location. |
| mobile |
T1509 |
Non-Standard Port |
Mandrake has communicated with the C2 server over TCP port 7777. |
| mobile |
T1406 |
Obfuscated Files or Information |
Mandrake obfuscates its hardcoded C2 URLs. |
| mobile |
T1636 |
Protected User Data |
- |
| mobile |
T1636.003 |
Contact List |
Mandrake can access the device’s contact list. |
| mobile |
T1636.004 |
SMS Messages |
Mandrake can access SMS messages. |
| mobile |
T1513 |
Screen Capture |
Mandrake can record the screen. |
| mobile |
T1582 |
SMS Control |
Mandrake can block, forward, hide, and send SMS messages. |
| mobile |
T1418 |
Software Discovery |
Mandrake can obtain a list of installed applications. |
| mobile |
T1409 |
Stored Application Data |
Mandrake can collect all accounts stored on the device. |
| mobile |
T1632 |
Subvert Trust Controls |
- |
| mobile |
T1632.001 |
Code Signing Policy Modification |
Mandrake can enable app installation from unknown sources. |
| mobile |
T1426 |
System Information Discovery |
Mandrake can access device configuration information and status, including Android version, battery level, device model, country, and SIM operator. |
| mobile |
T1633 |
Virtualization/Sandbox Evasion |
- |
| mobile |
T1633.001 |
System Checks |
Mandrake can evade automated analysis environments by requiring a CAPTCHA on launch that will prevent the application from running if not passed. It also checks for indications that it is running in an emulator. |
| mobile |
T1481 |
Web Service |
- |
| mobile |
T1481.002 |
Bidirectional Communication |
Mandrake has used Firebase for C2. |