{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,6,5]],"date-time":"2026-06-05T02:38:45Z","timestamp":1780627125179,"version":"3.54.1"},"reference-count":21,"publisher":"MDPI AG","issue":"19","license":[{"start":{"date-parts":[[2021,9,29]],"date-time":"2021-09-29T00:00:00Z","timestamp":1632873600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"DOI":"10.13039\/501100005073","name":"Agency for Defense Development","doi-asserted-by":"publisher","award":["UD190016ED"],"award-info":[{"award-number":["UD190016ED"]}],"id":[{"id":"10.13039\/501100005073","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Sensors"],"abstract":"<jats:p>During the past decade, mobile attacks have been established as an indispensable attack vector adopted by Advanced Persistent Threat (APT) groups. The ubiquitous nature of the smartphone has allowed users to use mobile payments and store private or sensitive data (i.e., login credentials). Consequently, various APT groups have focused on exploiting these vulnerabilities. Past studies have proposed automated classification and detection methods, while few studies have covered the cyber attribution. Our study introduces an automated system that focuses on cyber attribution. Adopting MITRE\u2019s ATT&amp;CK for mobile, we performed our study using the tactic, technique, and procedures (TTPs). By comparing the indicator of compromise (IoC), we were able to help reduce the false flags during our experiment. Moreover, we examined 12 threat actors and 120 malware using the automated method for detecting cyber attribution.<\/jats:p>","DOI":"10.3390\/s21196522","type":"journal-article","created":{"date-parts":[[2021,10,8]],"date-time":"2021-10-08T21:26:20Z","timestamp":1633728380000},"page":"6522","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":31,"title":["Automatically Attributing Mobile Threat Actors by Vectorized ATT&amp;CK Matrix and Paired Indicator"],"prefix":"10.3390","volume":"21","author":[{"ORCID":"https:\/\/orcid.org\/0000-0001-9146-5441","authenticated-orcid":false,"given":"Kyoungmin","family":"Kim","sequence":"first","affiliation":[{"name":"Institute of Cyber Security & Privacy (ICSP), Korea University, Seoul 02841, Korea"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-6783-1007","authenticated-orcid":false,"given":"Youngsup","family":"Shin","sequence":"additional","affiliation":[{"name":"Institute of Cyber Security & Privacy (ICSP), Korea University, Seoul 02841, Korea"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-5739-1004","authenticated-orcid":false,"given":"Justin","family":"Lee","sequence":"additional","affiliation":[{"name":"Institute of Cyber Security & Privacy (ICSP), Korea University, Seoul 02841, Korea"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-5183-5927","authenticated-orcid":false,"given":"Kyungho","family":"Lee","sequence":"additional","affiliation":[{"name":"Center for Information Security Technology (CIST), Korea University, Seoul 02841, Korea"}],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"1968","published-online":{"date-parts":[[2021,9,29]]},"reference":[{"key":"ref_1","doi-asserted-by":"crossref","first-page":"21","DOI":"10.1145\/317665.317670","article-title":"Personal computing: The post-PC era","volume":"42","author":"Press","year":"1999","journal-title":"Commun. ACM"},{"key":"ref_2","unstructured":"Delac, G., Silic, M., and Krolo, J. (2011, January 23\u201327). Emerging security threats for mobile platforms. Proceedings of the 34th International Convention MIPRO, Opatija, Croatia."},{"key":"ref_3","doi-asserted-by":"crossref","first-page":"3529","DOI":"10.1007\/s11042-018-6498-z","article-title":"A novel approach for mobile malware classification and detection in Android systems","volume":"78","author":"Zhou","year":"2019","journal-title":"Multimed. Tools Appl."},{"key":"ref_4","doi-asserted-by":"crossref","first-page":"266","DOI":"10.1016\/j.compeleceng.2017.02.013","article-title":"Machine learning aided Android malware classification","volume":"62","author":"Milosevic","year":"2017","journal-title":"Comput. Electr. Eng."},{"key":"ref_5","doi-asserted-by":"crossref","unstructured":"Lederm, T., and Clarke, N.L. (2011). Risk assessment for mobile devices. International Conference on Trust, Privacy and Security in Digital Business, Springer.","DOI":"10.1007\/978-3-642-22890-2_18"},{"key":"ref_6","doi-asserted-by":"crossref","first-page":"571","DOI":"10.1109\/TDSC.2014.2366457","article-title":"Towards automated risk assessment and mitigation of mobile applications","volume":"12","author":"Jing","year":"2014","journal-title":"IEEE Trans. Dependable Secur. Comput."},{"key":"ref_7","doi-asserted-by":"crossref","first-page":"1749","DOI":"10.1109\/TCYB.2016.2537649","article-title":"Risk assessment for mobile systems through a multilayered hierarchical Bayesian network","volume":"46","author":"Li","year":"2016","journal-title":"IEEE Trans. Cybern."},{"key":"ref_8","doi-asserted-by":"crossref","first-page":"4","DOI":"10.1080\/01402390.2014.977382","article-title":"Attributing cyber attacks","volume":"28","author":"Rid","year":"2015","journal-title":"J. Strateg. Stud."},{"key":"ref_9","doi-asserted-by":"crossref","unstructured":"Qiang, L., Zeming, Y., Baoxu, L., Zhengwei, J., and Jian, Y. (2016). Framework of cyber attack attribution based on threat intelligence. Interoperability, Safety and Security in IoT, Springer.","DOI":"10.1007\/978-3-319-52727-7_11"},{"key":"ref_10","unstructured":"Office of the Director of National Intelligence (2018). A Guide to Cyber Attribution, Office of the Director of National Intelligence."},{"key":"ref_11","unstructured":"Pahi, T., and Skopik, F. (2019, January 4\u20135). Cyber attribution 2.0: Capture the false flag. Proceedings of the 18th European Conference on Cyber Warfare and Security (ECCWS 2019), Coimbra, Portugal."},{"key":"ref_12","doi-asserted-by":"crossref","unstructured":"Sebastian, S., and Caballero, J. Towards attribution in mobile markets: Identifying developer account polymorphism. Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security.","DOI":"10.1145\/3372297.3417281"},{"key":"ref_13","unstructured":"(2021, August 30). MITRE ATT&CK. Available online: https:\/\/attack.mitre.org\/."},{"key":"ref_14","unstructured":"Strom, B.E., Applebaum, A., Miller, D.P., Nickels, K.C., Pennington, A.G., Thomas, C.B., and Mitre Att&ck: Design and Philosophy (2021, August 30). MITRE. Available online: https:\/\/attack.mitre.org\/docs\/ATTACK_Design_and_Philosophy_March_2020.pdf."},{"key":"ref_15","unstructured":"(2021, August 30). Joe Sandbox. Available online: https:\/\/www.joesecurity.org."},{"key":"ref_16","unstructured":"(2021, August 30). Intezer. Available online: https:\/\/www.intezer.com."},{"key":"ref_17","unstructured":"Oktavianto, Digit, and Iqbal Muhardianto (2013). Cuckoo Malware Analysis, Packt Publishing Ltd."},{"key":"ref_18","unstructured":"(2021, August 30). Virustotal. Available online: https:\/\/www.virustotal.com."},{"key":"ref_19","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1186\/s42400-020-00048-4","article-title":"Under false flag: Using technical artifacts for cyber attack attribution","volume":"3","author":"Skopik","year":"2020","journal-title":"Cybersecurity"},{"key":"ref_20","unstructured":"Alyac (2021, April 19). [Special Report] APT Campaign \u2019Konni\u2019 & \u2019Thallium (Kimsuky)\u2019 Found in Common. EstSecurity(blog). 10 June 2019. Available online: https:\/\/perma.cc\/P2ED-T2BY."},{"key":"ref_21","unstructured":"Cimpanu, C. (2021, August 30). Chinese Android Malware Gang Still Active and Targeting Koreans 8 Years Later. The Record (Blog). 8 April 2021. Available online: https:\/\/therecord.media\/chinese-android-malware-gang-still-active-and-targeting-koreans-8-years-later."}],"container-title":["Sensors"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/1424-8220\/21\/19\/6522\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,11]],"date-time":"2025-10-11T07:07:33Z","timestamp":1760166453000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/1424-8220\/21\/19\/6522"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2021,9,29]]},"references-count":21,"journal-issue":{"issue":"19","published-online":{"date-parts":[[2021,10]]}},"alternative-id":["s21196522"],"URL":"https:\/\/doi.org\/10.3390\/s21196522","relation":{},"ISSN":["1424-8220"],"issn-type":[{"value":"1424-8220","type":"electronic"}],"subject":[],"published":{"date-parts":[[2021,9,29]]}}}