ID | Name | Description |
---|---|---|
T1453 | Abuse Accessibility Features |
****Deprecation Warning****
This technique has been deprecated by Input Capture, Input Injection, and Input Prompt. |
T1401 | Abuse Device Administrator Access to Prevent Removal |
A malicious application can request Device Administrator privileges. If the user grants the privileges, the application can take steps to make its removal more difficult. |
T1435 | Access Calendar Entries |
An adversary could call standard operating system APIs from a malicious application to gather calendar entry data, or with escalated privileges could directly access files containing calendar data. |
T1433 | Access Call Log |
On Android, an adversary could call standard operating system APIs from a malicious application to gather call log data, or with escalated privileges could directly access files containing call log data. |
T1432 | Access Contact List |
An adversary could call standard operating system APIs from a malicious application to gather contact list (i.e., address book) data, or with escalated privileges could directly access files containing contact list data. |
T1517 | Access Notifications |
A malicious application can read notifications sent by the operating system or other applications, which may contain sensitive data such as one-time authentication codes sent over SMS, email, or other mediums. A malicious application can also dismiss notifications to prevent the user from noticing that the notifications arrived and can trigger action buttons contained within notifications. |
T1413 | Access Sensitive Data in Device Logs |
On versions of Android prior to 4.1, an adversary may use a malicious application that holds the READ_LOGS permission to obtain private keys, passwords, other credentials, or other sensitive data stored in the device's system log. On Android 4.1 and later, an adversary would need to attempt to perform an operating system privilege escalation attack to be able to access the log. |
T1409 | Access Stored Application Data |
Adversaries may access and collect application data resident on the device. Adversaries often target popular applications such as Facebook, WeChat, and Gmail. |
T1438 | Alternate Network Mediums |
Adversaries can communicate using cellular networks rather than enterprise Wi-Fi in order to bypass enterprise network monitoring systems. Adversaries may also communicate using other non-Internet Protocol mediums such as SMS, NFC, or Bluetooth to bypass network monitoring systems. |
T1416 | Android Intent Hijacking |
A malicious app can register to receive intents meant for other applications and may then be able to receive sensitive values such as OAuth authorization codes. |
T1402 | App Auto-Start at Device Boot |
An Android application can listen for the BOOT_COMPLETED broadcast, ensuring that the app's functionality will be activated every time the device starts up without having to wait for the device user to manually start the app. |
T1418 | Application Discovery |
Adversaries may seek to identify all applications installed on the device. One use case for doing so is to identify the presence of endpoint security applications that may increase the adversary's risk of detection. Another use case is to identify the presence of applications that the adversary may wish to target. |
T1427 | Attack PC via USB Connection |
With escalated privileges, an adversary could program the mobile device to impersonate USB devices such as input devices (keyboard and mouse), storage devices, and/or networking devices in order to attack a physically connected PC This technique has been demonstrated on Android. We are unaware of any demonstrations on iOS. |
T1429 | Capture Audio |
Adversaries may capture audio to collect information on a user of a mobile device using standard operating system APIs. Adversaries may target audio information such as user conversations, surroundings, phone calls, or other sensitive information. |
T1512 | Capture Camera |
Adversaries may utilize the camera to capture information about the user, their surroundings, or other physical identifiers. Adversaries may use the physical camera devices on
a mobile device to capture images or video. By default, in Android and iOS, an application must request permission to access a camera device which is granted by the user
through a request prompt. In Android, applications must hold the |
T1414 | Capture Clipboard Data |
Adversaries may abuse Clipboard Manager APIs to obtain sensitive information copied to the global clipboard. For example, passwords being copy-and-pasted from a password manager app could be captured by another application installed on the device. |
T1412 | Capture SMS Messages |
A malicious application could capture sensitive data sent via SMS, including authentication credentials. SMS is frequently used to transmit codes used for multi-factor authentication. |
T1510 | Clipboard Modification |
Adversaries may abuse clipboard functionality to intercept and replace information in the Android device clipboard. Malicious applications may monitor the clipboard activity
through the |
T1436 | Commonly Used Port |
Adversaries may communicate over a commonly used port to bypass firewalls or network detection systems and to blend with normal network activity to avoid more detailed inspection. |
T1532 | Data Encrypted |
Data is encrypted before being exfiltrated in order to hide the information that is being exfiltrated from detection or to make the exfiltration less conspicuous upon inspection by a defender. The encryption is performed by a utility, programming library, or custom algorithm on the data itself and is considered separate from any encryption performed by the command and control or file transfer protocol. Common file formats that can encrypt files are RAR and zip. |
T1471 | Data Encrypted for Impact |
An adversary may encrypt files stored on the mobile device to prevent the user from accessing them, for example with the intent of only unlocking access to the files after a ransom is paid. Without escalated privileges, the adversary is generally limited to only encrypting files in external/shared storage locations. This technique has been demonstrated on Android. We are unaware of any demonstrated use on iOS. |
T1533 | Data from Local System |
Sensitive data can be collected from local system sources, such as the file system or databases of information residing on the system. |
T1447 | Delete Device Data |
An adversary could wipe the entire device contents or delete specific files. A malicious application could obtain and abuse Android device administrator access to wipe the entire device. Access to external storage directories or escalated privileges could be used to delete individual files. |
T1475 | Deliver Malicious App via Authorized App Store |
Malicious applications are a common attack vector used by adversaries to gain a presence on mobile devices. Mobile devices often are configured to allow application installation only from an authorized app store (e.g., Google Play Store or Apple App Store). An adversary may seek to place a malicious application in an authorized app store, enabling the application to be installed onto targeted devices. |
T1476 | Deliver Malicious App via Other Means |
Malicious applications are a common attack vector used by adversaries to gain a presence on mobile devices. This technique describes installing a malicious application on targeted mobile devices without involving an authorized app store (e.g., Google Play Store or Apple App Store). Adversaries may wish to avoid placing malicious applications in an authorized app store due to increased potential risk of detection or other reasons. However, mobile devices often are configured to allow application installation only from an authorized app store which would prevent this technique from working. |
T1446 | Device Lockout |
An adversary may seek to lock the legitimate user out of the device, for example to inhibit user interaction or to obtain a ransom payment. |
T1408 | Disguise Root/Jailbreak Indicators |
An adversary could use knowledge of the techniques used by security software to evade detection. For example, some mobile security products perform compromised device detection by searching for particular artifacts such as an installed "su" binary, but that check could be evaded by naming the binary something else. Similarly, polymorphic code techniques could be used to evade signature-based detection. |
T1520 | Domain Generation Algorithms |
Adversaries may use Domain Generation Algorithms (DGAs) to procedurally generate domain names for command and control communication, and other uses such as malicious application distribution. |
T1466 | Downgrade to Insecure Protocols |
An adversary could cause the mobile device to use less secure protocols, for example by jamming frequencies used by newer protocols such as LTE and only allowing older protocols such as GSM to communicate. Use of less secure protocols may make communication easier to eavesdrop upon or manipulate. |
T1407 | Download New Code at Runtime |
An app could download and execute dynamic code (not included in the original application package) after installation to evade static analysis techniques (and potentially dynamic analysis techniques) used for application vetting or application store review. |
T1456 | Drive-by Compromise |
As described by Drive-by Compromise, a drive-by compromise is when an adversary gains access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is targeted for exploitation. For example, a website may contain malicious media content intended to exploit vulnerabilities in media parsers as demonstrated by the Android Stagefright vulnerability . |
T1439 | Eavesdrop on Insecure Network Communication |
If network traffic between the mobile device and remote servers is unencrypted or is encrypted in an insecure manner, then an adversary positioned on the network can eavesdrop on communication. |
T1523 | Evade Analysis Environment |
Malicious applications may attempt to detect their operating environment prior to fully executing their payloads. These checks are often used to ensure the application is not running within an analysis environment such as a sandbox used for application vetting, security research, or reverse engineering. |
T1428 | Exploit Enterprise Resources |
Adversaries may attempt to exploit enterprise servers, workstations, or other resources over the network. This technique may take advantage of the mobile device's access to an internal enterprise network either through local connectivity or through a Virtual Private Network (VPN). |
T1404 | Exploit OS Vulnerability |
A malicious app can exploit unpatched vulnerabilities in the operating system to obtain escalated privileges. |
T1449 | Exploit SS7 to Redirect Phone Calls/SMS |
An adversary could exploit signaling system vulnerabilities to redirect calls or text messages (SMS) to a phone number under the attacker's control. The adversary could then act as a man-in-the-middle to intercept or manipulate the communication. Interception of SMS messages could enable adversaries to obtain authentication codes used for multi-factor authentication. |
T1450 | Exploit SS7 to Track Device Location |
An adversary could exploit signaling system vulnerabilities to track the location of mobile devices. |
T1405 | Exploit TEE Vulnerability |
A malicious app or other attack vector could be used to exploit vulnerabilities in code running within the Trusted Execution Environment (TEE) . The adversary could then obtain privileges held by the TEE potentially including the ability to access cryptographic keys or other sensitive data . Escalated operating system privileges may be first required in order to have the ability to attack the TEE . If not, privileges within the TEE can potentially be used to exploit the operating system . |
T1458 | Exploit via Charging Station or PC |
If the mobile device is connected (typically via USB) to a charging station or a PC, for example to charge the device's battery, then a compromised or malicious charging station or PC could attempt to exploit the mobile device via the connection. |
T1477 | Exploit via Radio Interfaces |
The mobile device may be targeted for exploitation through its interface to cellular networks or other radio interfaces. |
T1420 | File and Directory Discovery |
On Android, command line tools or the Java file APIs can be used to enumerate file system contents. However, Linux file permissions and SELinux policies generally strongly restrict what can be accessed by apps (without taking advantage of a privilege escalation exploit). The contents of the external storage directory are generally visible, which could present concern if sensitive data is inappropriately stored there. |
T1472 | Generate Fraudulent Advertising Revenue |
An adversary could seek to generate fraudulent advertising revenue from mobile devices, for example by triggering automatic clicks of advertising links without user involvement. |
T1417 | Input Capture |
Adversaries may capture user input to obtain credentials or other information from the user through various methods. |
T1516 | Input Injection |
A malicious application can inject input to the user interface to mimic user interaction through the abuse of Android's accessibility APIs. |
T1411 | Input Prompt |
The operating system and installed applications often have legitimate needs to prompt the user for sensitive information such as account credentials, bank account information, or Personally Identifiable Information (PII). Adversaries may mimic this functionality to prompt users for sensitive information. |
T1478 | Install Insecure or Malicious Configuration |
An adversary could attempt to install insecure or malicious configuration settings on the mobile device, through means such as phishing emails or text messages either directly containing the configuration settings as an attachment, or containing a web link to the configuration settings. The device user may be tricked into installing the configuration settings through social engineering techniques . |
T1464 | Jamming or Denial of Service |
An attacker could jam radio signals (e.g. Wi-Fi, cellular, GPS) to prevent the mobile device from communicating. |
T1430 | Location Tracking |
An adversary could use a malicious or exploited application to surreptitiously track the device's physical location through use of standard operating system APIs. |
T1461 | Lockscreen Bypass |
An adversary with physical access to a mobile device may seek to bypass the device's lockscreen. |
T1452 | Manipulate App Store Rankings or Ratings |
An adversary could use access to a compromised device's credentials to attempt to manipulate app store rankings or ratings by triggering application downloads or posting fake reviews of applications. This technique likely requires privileged access (a rooted or jailbroken device). |
T1463 | Manipulate Device Communication |
If network traffic between the mobile device and a remote server is not securely protected, then an attacker positioned on the network may be able to manipulate network communication without being detected. For example, FireEye researchers found in 2014 that 68% of the top 1,000 free applications in the Google Play Store had at least one Transport Layer Security (TLS) implementation vulnerability potentially opening the applications' network traffic to man-in-the-middle attacks . |
T1444 | Masquerade as Legitimate Application |
An adversary could distribute developed malware by masquerading the malware as a legitimate application. This can be done in two different ways: by embedding the malware in a legitimate application, or by pretending to be a legitimate application. |
T1403 | Modify Cached Executable Code |
ART (the Android Runtime) compiles optimized code on the device itself to improve performance. An adversary may be able to use escalated privileges to modify the cached code in order to hide malicious behavior. Since the code is compiled on the device, it may not receive the same level of integrity checks that are provided to code running in the system partition. |
T1398 | Modify OS Kernel or Boot Partition |
If an adversary can escalate privileges, he or she may be able to use those privileges to place malicious code in the device kernel or other boot partition components, where the code may evade detection, may persist after device resets, and may not be removable by the device user. In some cases (e.g., the Samsung Knox warranty bit as described under Detection), the attack may be detected but could result in the device being placed in a state that no longer allows certain functionality. |
T1400 | Modify System Partition |
If an adversary can escalate privileges, he or she may be able to use those privileges to place malicious code in the device system partition, where it may persist after device resets and may not be easily removed by the device user. |
T1399 | Modify Trusted Execution Environment |
If an adversary can escalate privileges, he or she may be able to use those privileges to place malicious code in the device's Trusted Execution Environment (TEE) or other similar isolated execution environment where the code can evade detection, may persist after device resets, and may not be removable by the device user. Running code within the TEE may provide an adversary with the ability to monitor or tamper with overall device behavior. |
T1507 | Network Information Discovery |
Adversaries may use device sensors to collect information about nearby networks, such as Wi-Fi and Bluetooth. |
T1423 | Network Service Scanning |
Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation. Methods to acquire this information include port scans and vulnerability scans from the mobile device. This technique may take advantage of the mobile device's access to an internal enterprise network either through local connectivity or through a Virtual Private Network (VPN). |
T1410 | Network Traffic Capture or Redirection |
An adversary may capture network traffic to and from the device to obtain credentials or other sensitive data, or redirect network traffic to flow through an adversary-controlled gateway to do the same. |
T1406 | Obfuscated Files or Information |
An app could contain malicious code in obfuscated or encrypted form, then deobfuscate or decrypt the code at runtime to evade many app vetting techniques. |
T1470 | Obtain Device Cloud Backups |
An adversary who is able to obtain unauthorized access to or misuse authorized access to cloud backup services (e.g. Google's Android backup service or Apple's iCloud) could use that access to obtain sensitive data stored in device backups. For example, the Elcomsoft Phone Breaker product advertises the ability to retrieve iOS backup data from Apple's iCloud . Elcomsoft also describes obtaining WhatsApp communication histories from backups stored in iCloud. |
T1448 | Premium SMS Toll Fraud |
A malicious app could use standard Android APIs to send SMS messages. SMS messages could potentially be sent to premium numbers that charge the device owner and generate revenue for an adversary. |
T1424 | Process Discovery |
On Android versions prior to 5, applications can observe information about other processes that are running through methods in the ActivityManager class. On Android versions
prior to 7, applications can obtain this information by executing the |
T1468 | Remotely Track Device Without Authorization |
An adversary who is able to obtain unauthorized access to or misuse authorized access to cloud services (e.g. Google's Android Device Manager or Apple iCloud's Find my iPhone) or to an enterprise mobility management (EMM) / mobile device management (MDM) server console could use that access to track mobile devices. |
T1469 | Remotely Wipe Data Without Authorization |
An adversary who is able to obtain unauthorized access to or misuse authorized access to cloud services (e.g. Google's Android Device Manager or Apple iCloud's Find my iPhone) or to an EMM console could use that access to wipe enrolled devices . |
T1467 | Rogue Cellular Base Station |
An adversary could set up a rogue cellular base station and then use it to eavesdrop on or manipulate cellular device communication. A compromised cellular femtocell could be used to carry out this technique. |
T1465 | Rogue Wi-Fi Access Points |
An adversary could set up unauthorized Wi-Fi access points or compromise existing access points and, if the device connects to them, carry out network-based attacks such as eavesdropping on or modifying network communication. |
T1513 | Screen Capture |
Adversaries may use screen captures to collect information about applications running in the foreground, capture user data, credentials, or other sensitive information.
Applications running in the background can capture screenshots or videos of another application running in the foreground by using the Android
|
T1451 | SIM Card Swap |
An adversary could convince the mobile network operator (e.g. through social networking, forged identification, or insider attacks performed by trusted employees) to issue a new SIM card and associate it with an existing phone number and account . The adversary could then obtain SMS messages or hijack phone calls intended for someone else . |
T1437 | Standard Application Layer Protocol |
Adversaries may communicate using a common, standardized application layer protocol such as HTTP, HTTPS, SMTP, or DNS to avoid detection by blending in with existing traffic. |
T1521 | Standard Cryptographic Protocol |
Adversaries may explicitly employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if necessary secret keys are encoded and/or generated within malware samples/configuration files. |
T1474 | Supply Chain Compromise |
As further described in Supply Chain Compromise, supply chain compromise is the manipulation of products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise. Somewhat related, adversaries could also identify and exploit inadvertently present vulnerabilities. In many cases, it may be difficult to be certain whether exploitable functionality is due to malicious intent or simply inadvertent mistake. |
T1508 | Suppress Application Icon |
A malicious application could suppress its icon from being displayed to the user in the application launcher to hide the fact that it is installed, and to make it more difficult for the user to uninstall the application. Hiding the application's icon programmatically does not require any special permissions. |
T1426 | System Information Discovery |
An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, and architecture. |
T1422 | System Network Configuration Discovery |
On Android, details of onboard network interfaces are accessible to apps through the java.net.NetworkInterface class . The Android TelephonyManager class can be used to gather related information such as the IMSI, IMEI, and phone number . |
T1421 | System Network Connections Discovery |
On Android, applications can use standard APIs to gather a list of network connections to and from the device. For example, the Network Connections app available in the Google Play Store advertises this functionality. |
T1509 | Uncommonly Used Port |
Adversaries may use non-standard ports to exfiltrate information. |
T1415 | URL Scheme Hijacking |
An iOS application may be able to maliciously claim a URL scheme, allowing it to intercept calls that are meant for a different application. This technique, for example, could be used to capture OAuth authorization codes or to phish user credentials. |
T1481 | Web Service |
Adversaries may use an existing, legitimate external Web service as a means for relaying commands to a compromised system. |