1. Home
  2. Matrices
  3. Android

Android Matrix

Below are the tactics and techniques representing the two MITRE ATT&CK® Matrices for Mobile. The Matrices cover techniques involving device access and network-based effects that can be used by adversaries without device access. The Matrix contains information for the Android platform.

View on the ATT&CK® Navigator
Version Permalink
Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact
6 techniques 4 techniques 7 techniques 3 techniques 16 techniques 4 techniques 8 techniques 2 techniques 13 techniques 9 techniques 2 techniques 10 techniques
Application Versioning
Drive-By Compromise
Lockscreen Bypass
Phishing
Replication Through Removable Media
Supply Chain Compromise (3)
=
Command and Scripting Interpreter (1)
=
Exploitation for Client Execution
Native API
Scheduled Task/Job
Boot or Logon Initialization Scripts
Compromise Application Executable
Compromise Client Software Binary
Event Triggered Execution (1)
=
Foreground Persistence
Hijack Execution Flow (1)
=
Scheduled Task/Job
Abuse Elevation Control Mechanism (1)
=
Exploitation for Privilege Escalation
Process Injection (1)
=
Application Versioning
Download New Code at Runtime
Execution Guardrails (1)
=
Foreground Persistence
Hide Artifacts (2)
=
Hooking
Impair Defenses (3)
=
Indicator Removal on Host (3)
=
Input Injection
Masquerading (1)
=
Native API
Obfuscated Files or Information (2)
=
Process Injection (1)
=
Proxy Through Victim
Subvert Trust Controls (1)
=
Virtualization/Sandbox Evasion (1)
=
Access Notifications
Clipboard Data
Input Capture (2)
=
Steal Application Access Token (1)
=
File and Directory Discovery
Location Tracking (2)
=
Network Service Scanning
Process Discovery
Software Discovery (1)
=
System Information Discovery
System Network Configuration Discovery
System Network Connections Discovery
Exploitation of Remote Services
Replication Through Removable Media
Access Notifications
Adversary-in-the-Middle
Archive Collected Data
Audio Capture
Call Control
Clipboard Data
Data from Local System
Input Capture (2)
=
Location Tracking (2)
=
Protected User Data (4)
=
Screen Capture
Stored Application Data
Video Capture
Application Layer Protocol (1)
=
Call Control
Dynamic Resolution (1)
=
Encrypted Channel (2)
=
Ingress Tool Transfer
Non-Standard Port
Out of Band Data
Remote Access Software
Web Service (3)
=
Exfiltration Over Alternative Protocol (1)
=
Exfiltration Over C2 Channel
Account Access Removal
Call Control
Data Destruction
Data Encrypted for Impact
Data Manipulation (1)
=
Endpoint Denial of Service
Generate Traffic from Victim
Input Injection
Network Denial of Service
SMS Control
Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact
6 techniques 4 techniques 7 techniques 3 techniques 16 techniques 4 techniques 8 techniques 2 techniques 13 techniques 9 techniques 2 techniques 10 techniques
Application Versioning
Drive-By Compromise
Lockscreen Bypass
Phishing
Replication Through Removable Media
=
Supply Chain Compromise (3)
=
Command and Scripting Interpreter (1)
Exploitation for Client Execution
Native API
Scheduled Task/Job
Boot or Logon Initialization Scripts
Compromise Application Executable
Compromise Client Software Binary
=
Event Triggered Execution (1)
Foreground Persistence
=
Hijack Execution Flow (1)
Scheduled Task/Job
=
Abuse Elevation Control Mechanism (1)
Exploitation for Privilege Escalation
=
Process Injection (1)
Application Versioning
Download New Code at Runtime
=
Execution Guardrails (1)
Foreground Persistence
=
Hide Artifacts (2)
Hooking
=
Impair Defenses (3)
=
Indicator Removal on Host (3)
Input Injection
=
Masquerading (1)
Native API
=
Obfuscated Files or Information (2)
=
Process Injection (1)
Proxy Through Victim
=
Subvert Trust Controls (1)
=
Virtualization/Sandbox Evasion (1)
Access Notifications
Clipboard Data
=
Input Capture (2)
=
Steal Application Access Token (1)
File and Directory Discovery
=
Location Tracking (2)
Network Service Scanning
Process Discovery
=
Software Discovery (1)
System Information Discovery
System Network Configuration Discovery
System Network Connections Discovery
Exploitation of Remote Services
Replication Through Removable Media
Access Notifications
Adversary-in-the-Middle
Archive Collected Data
Audio Capture
Call Control
Clipboard Data
Data from Local System
=
Input Capture (2)
=
Location Tracking (2)
=
Protected User Data (4)
Screen Capture
Stored Application Data
Video Capture
=
Application Layer Protocol (1)
Call Control
=
Dynamic Resolution (1)
=
Encrypted Channel (2)
Ingress Tool Transfer
Non-Standard Port
Out of Band Data
Remote Access Software
=
Web Service (3)
=
Exfiltration Over Alternative Protocol (1)
Exfiltration Over C2 Channel
Account Access Removal
Call Control
Data Destruction
Data Encrypted for Impact
=
Data Manipulation (1)
Endpoint Denial of Service
Generate Traffic from Victim
Input Injection
Network Denial of Service
SMS Control