1. Home
  2. Techniques
  3. Mobile
  4. Phishing

Phishing

Adversaries may send malicious content to users in order to gain access to their mobile devices. All forms of phishing are electronically delivered social engineering. Adversaries can conduct both non-targeted phishing, such as in mass malware spam campaigns, as well as more targeted phishing tailored for a specific individual, company, or industry, known as "spearphishing". Phishing often involves social engineering techniques, such as posing as a trusted source, as well as evasion techniques, such as removing or manipulating emails or metadata/headers from compromised accounts being abused to send messages.

Mobile phishing may take various forms. For example, adversaries may send emails containing malicious attachments or links, typically to deliver and then execute malicious code on victim devices. Phishing may also be conducted via third-party services, like social media platforms.

Mobile devices are a particularly attractive target for adversaries executing phishing campaigns. Due to their smaller form factor than traditional desktop endpoints, users may not be able to notice minor differences between genuine and phishing websites. Further, mobile devices have additional sensors and radios that allow adversaries to execute phishing attempts over several different vectors, such as:

  • SMS messages: Adversaries may send SMS messages (known as "smishing") from compromised devices to potential targets to convince the target to, for example, install malware, navigate to a specific website, or enable certain insecure configurations on their device.
  • Quick Response (QR) Codes: Adversaries may use QR codes (known as "quishing") to redirect users to a phishing website. For example, an adversary could replace a legitimate public QR Code with one that leads to a different destination, such as a phishing website. A malicious QR code could also be delivered via other means, such as SMS or email. In the latter case, an adversary could utilize a malicious QR code in an email to pivot from the user’s desktop computer to their mobile device.
  • Phone Calls: Adversaries may call victims (known as "vishing") to persuade them to perform an action, such as providing login credentials or navigating to a malicious website. This could also be used as a technique to perform the initial access on a mobile device, but then pivot to a computer/other network by having the victim perform an action on a desktop computer.
ID: T1660
Sub-techniques:  No sub-techniques
Tactic Type: Post-Adversary Device Access
Tactic: Initial Access
Platforms: Android, iOS
MTC ID: AUT-9
Contributors: Adam Mashinchi; Brian Donohue; Naveen Devaraja, bolttech; Sam Seabrook, Duke Energy; Vijay Lalwani; Will Thomas, Equinix
Version: 1.0
Created: 21 September 2023
Last Modified: 29 September 2023
Version Permalink

Procedure Examples

ID Name Description
G1028 APT-C-23

APT-C-23 sends malicious links to victims to download the masqueraded application.[1][2]

G1002 BITTER

BITTER has delivered malicious applications to victims via shortened URLs distributed through SMS, WhatsApp, and various social media platforms.[3]

S1094 BRATA

BRATA has been distributed using phishing techniques, such as push notifications from compromised websites.[4]
S0289 Pegasus for iOS

Pegasus for iOS has been distributed via malicious links in SMS messages.[5]
G0034 Sandworm Team

Sandworm Team used SMS-based phishing to target victims with malicious links.[6]
G1015 Scattered Spider

Scattered Spider has sent SMS phishing messages to employee phone numbers with a link to a site configured with a fake credential harvesting login portal.[7]
G1029 UNC788

UNC788 has used phishing and social engineering to distribute malware.[8]

Mitigations

ID Mitigation Description
M1058 Antivirus/Antimalware

Some mobile security products offer a loopback VPN used for inspecting traffic. This could proactively block traffic to websites that are known for phishing or appear to be conducting a phishing attack.
M1011 User Guidance

Users can be trained to identify social engineering techniques and phishing emails.

Detection

ID Data Source Data Component Detects
DS0029 Network Traffic Network Traffic Content

Mobile security products may provide URL inspection services that could determine if a domain being visited is malicious.
Network Traffic Flow

Enterprises may be able to detect anomalous traffic originating from mobile devices, which could indicate compromise.

References

  1. Kohli, P. (2021, November 23). Android APT spyware, targeting Middle East victims, enhances evasiveness. Retrieved March 4, 2024.
  2. CheckPoint Research. (2020, February 16). Hamas Android Malware On IDF Soldiers-This is How it Happened. Retrieved March 4, 2024.
  3. BlackBerry Research and Insights Team. (n.d.). Mobile Malware and APT Espionage. Retrieved March 1, 2024.
  4. Securelist. (2019, August 29). Fully equipped Spying Android RAT from Brazil: BRATA. Retrieved December 18, 2023.
  1. Marczak, B., et al. (2020, December 20). The Great iPwn. Retrieved April 3, 2024.
  2. Billy Leonard. (2023, April 19). Ukraine remains Russia’s biggest cyber focus in 2023. Retrieved March 1, 2024.
  3. Microsoft. (2023, October 25). Octo Tempest crosses boundaries to facilitate extortion, encryption, and destruction. Retrieved March 18, 2024.
  4. Agranovich, D., et al. (2022, April). Adversarial Threat Report. Retrieved April 2, 2024.