Visual activity on the device that could alert the user to potentially malicious behavior.
System prompts triggered when an application requests new or additional permissions
System prompts triggered when an application requests new or additional permissions
| Domain | ID | Name | Detects | |
|---|---|---|---|---|
| Mobile | T1626 | Abuse Elevation Control Mechanism |
When an application requests administrator permission, the user is presented with a popup and the option to grant or deny the request. |
|
| .001 | Device Administrator Permissions |
The user is prompted for approval when an application requests device administrator permissions. |
||
| Mobile | T1638 | Adversary-in-the-Middle |
On both Android and iOS, the user must grant consent to an application to act as a VPN. Both platforms also provide visual context to the user in the top status bar when a VPN connection is active. The user can see registered VPN services in the device settings. |
|
| Mobile | T1662 | Data Destruction |
The user is prompted for approval when an application requests device administrator permissions. |
|
| Mobile | T1420 | File and Directory Discovery |
On Android, the user is presented with a permissions popup when an application requests access to external device storage. |
|
| Mobile | T1663 | Remote Access Software |
Remote access software typically requires many privileged permissions, such as accessibility services or device administrator. |
|
Notifications generated by the OS
Notifications generated by the OS
| Domain | ID | Name | Detects | |
|---|---|---|---|---|
| Mobile | T1616 | Call Control |
The user can review available call logs for irregularities, such as missing or unrecognized calls. |
|
| Mobile | T1627 | .001 | Execution Guardrails: Geofencing |
On Android 10 and later, the system shows a notification to the user when an app has been accessing device location in the background. |
| Mobile | T1541 | Foreground Persistence |
The user can see persistent notifications in their notification drawer and can subsequently uninstall applications that do not belong. |
|
| Mobile | T1430 | .001 | Location Tracking: Remote Device Management Services |
Google sends a notification to the device when Android Device Manager is used to locate it. Additionally, Google provides the ability for users to view their general account activity and alerts users when their credentials have been used on a new device. Apple iCloud also provides notifications to users of account activity such as when credentials have been used. |
| Mobile | T1655 | Masquerading |
Unexpected behavior from an application could be an indicator of masquerading. |
|
| .001 | Match Legitimate Name or Location |
Unexpected behavior from an application could be an indicator of masquerading. |
||
| Mobile | T1464 | Network Denial of Service | ||
| Mobile | T1644 | Out of Band Data |
If the user sees a notification with text they do not recognize, they should review their list of installed applications. |
|
| Mobile | T1635 | Steal Application Access Token |
On Android, users may be presented with a popup to select the appropriate application to open a URI in. If the user sees an application they do not recognize, they can remove it. |
|
| .001 | URI Hijacking |
On Android, users may be presented with a popup to select the appropriate application to open the URI in. If the user sees an application they do not recognize, they can remove it. |
||
Settings visible to the user on the device
Settings visible to the user on the device
| Domain | ID | Name | Detects | |
|---|---|---|---|---|
| Mobile | T1626 | .001 | Abuse Elevation Control Mechanism: Device Administrator Permissions |
The user can see which applications are registered as device administrators in the device settings. |
| Mobile | T1517 | Access Notifications |
The user can also inspect and modify the list of applications that have notification access through the device settings (e.g. Apps & notification -> Special app access -> Notification access). |
|
| Mobile | T1429 | Audio Capture |
In iOS 14 and up, an orange dot (or orange square if the Differentiate Without Color setting is enabled) appears in the status bar when the microphone is being used by an application. However, there have been demonstrations indicating it may still be possible to access the microphone in the background without triggering this visual indicator by abusing features that natively access the microphone or camera but do not trigger the visual indicators.[1] In Android 12 and up, a green dot appears in the status bar when the microphone is being used by an application.[2] |
|
| Mobile | T1616 | Call Control |
The user can view their default phone app in device settings. |
|
| Mobile | T1662 | Data Destruction |
The user may view applications with administrator access through the device settings and may also notice if user data is inexplicably missing. |
|
| Mobile | T1642 | Endpoint Denial of Service |
On Android, the user can review which applications have Device Administrator access in the device settings and revoke permission where appropriate. |
|
| Mobile | T1627 | Execution Guardrails |
The user can review which applications have location and sensitive phone information permissions in the operating system’s settings menu. |
|
| .001 | Geofencing |
The user can review which applications have location permissions in the operating system’s settings menu. |
||
| Mobile | T1643 | Generate Traffic from Victim |
On Android, the user can review which applications can use premium SMS features in the "Special access" page within application settings. |
|
| Mobile | T1628 | Hide Artifacts |
The user can examine the list of all installed applications in the device settings. |
|
| .001 | Suppress Application Icon |
The user can examine the list of all installed applications, including those with a suppressed icon, in the device settings. If the user is redirected to the device settings when tapping an application’s icon, they should inspect the application to ensure it is genuine. |
||
| Mobile | T1629 | .001 | Impair Defenses: Prevent Application Removal |
The user can view a list of device administrators and applications that have registered accessibility services in device settings. The user can typically visually see when an action happens that they did not initiate and can subsequently review installed applications for any out of place or unknown ones. Applications that register an accessibility service or request device administrator permissions should be scrutinized further for malicious behavior. |
| .002 | Impair Defenses: Device Lockout |
The user can view a list of device administrators in device settings and revoke permission where appropriate. Applications that request device administrator permissions should be scrutinized further for malicious behavior. |
||
| .003 | Impair Defenses: Disable or Modify Tools |
The user can view a list of active device administrators in the device settings. |
||
| Mobile | T1630 | Indicator Removal on Host |
The user can view applications with administrator access through the device settings, and may also notice if user data is inexplicably missing. The user can see a list of applications that can use accessibility services in the device settings. |
|
| .001 | Uninstall Malicious Application |
The user can see a list of applications that can use accessibility services in the device settings. |
||
| .002 | File Deletion |
The user can view applications with administrator access through the device settings, and may also notice if user data is inexplicably missing. |
||
| Mobile | T1417 | Input Capture |
The user can view and manage installed third-party keyboards. |
|
| .001 | Keylogging |
On Android, the user can view and manage which applications have third-party keyboard access through the device settings in System -> Languages & input -> Virtual keyboard. On iOS, the user can view and manage which applications have third-party keyboard access through the device settings in General -> Keyboard. |
||
| .002 | GUI Input Capture |
An Android user can view and manage which applications hold the |
||
| Mobile | T1516 | Input Injection |
The user can view applications that have registered accessibility services in the accessibility menu within the device settings. |
|
| Mobile | T1430 | Location Tracking |
In both Android (6.0 and up) and iOS, the user can view which applications have the permission to access the device location through the device settings screen and revoke permissions as necessary. |
|
| Mobile | T1636 | Protected User Data |
The user can view permissions granted to an application in device settings. |
|
| .001 | Calendar Entries |
On both Android and iOS, the user can manage which applications have permission to access calendar information through the device settings screen, revoke the permission if necessary. |
||
| .002 | Call Log |
On Android, the user can manage which applications have permission to access the call log through the device settings screen, revoking the permission if necessary. |
||
| .003 | Contact List |
On both Android and iOS, the user can manage which applications have permission to access the contact list through the device settings screen, revoking the permission if necessary. |
||
| .004 | SMS Messages |
On Android, the user can manage which applications have permission to access SMS messages through the device settings screen, revoking the permission if necessary. |
||
| Mobile | T1513 | Screen Capture |
The user can view a list of apps with accessibility service privileges in the device settings. |
|
| Mobile | T1582 | SMS Control |
The user can view the default SMS handler in system settings. |
|
| Mobile | T1632 | Subvert Trust Controls |
On Android, the user can use the device settings menu to view trusted CA certificates and look for unexpected or unknown certificates. A mobile security product could similarly examine the trusted CA certificate store for anomalies. Users can use the device settings menu to view which applications on the device are allowed to install unknown applications. On iOS, the user can use the device settings menu to view installed Configuration Profiles and look for unexpected or unknown profiles. A Mobile Device Management (MDM) system could use the iOS MDM APIs to examine the list of installed Configuration Profiles for anomalies. |
|
| .001 | Code Signing Policy Modification |
On Android, the user can use the device settings menu to view trusted CA certificates and look for unexpected or unknown certificates. A mobile security product could similarly examine the trusted CA certificate store for anomalies. Users can use the device settings menu to view which applications on the device are allowed to install unknown applications. On iOS, the user can use the device settings menu to view installed Configuration Profiles and look for unexpected or unknown profiles. A Mobile Device Management (MDM) system could use the iOS MDM APIs to examine the list of installed Configuration Profiles for anomalies. |
||
| Mobile | T1512 | Video Capture |
The user can view which applications have permission to use the camera through the device settings screen, where the user can then choose to revoke the permissions. |
|