1. Home
  2. Mitigations
  3. Deploy Compromised Device Detection Method

Deploy Compromised Device Detection Method

A variety of methods exist that can be used to enable enterprises to identify compromised (e.g. rooted/jailbroken) devices, whether using security mechanisms built directly into the device, third-party mobile security applications, enterprise mobility management (EMM)/mobile device management (MDM) capabilities, or other methods. Some methods may be trivial to evade while others may be more sophisticated.

ID: M1010
Version: 1.0
Created: 25 October 2017
Last Modified: 17 October 2018
Version Permalink
Mobile Layer
download view

Techniques Addressed by Mitigation

Domain ID Name Use
Mobile T1623 Command and Scripting Interpreter

Mobile security products can typically detect jailbroken or rooted devices.

.001 Unix Shell

Mobile security products can typically detect jailbroken or rooted devices.

Mobile T1634 Credentials from Password Store

Mobile security products can take appropriate action when jailbroken devices are detected, potentially limiting the adversary’s access to password stores.

.001 Keychain

Mobile security products can take appropriate action when jailbroken devices are detected, potentially limiting the adversary’s access to password stores.
Mobile T1404 Exploitation for Privilege Escalation

Mobile security products can potentially detect jailbroken or rooted devices.
Mobile T1628 .002 Hide Artifacts: User Evasion

Mobile security products that are part of the Samsung Knox for Mobile Threat Defense program could examine running applications while the device is idle, potentially detecting malicious applications that are running primarily when the device is not being used.
Mobile T1617 Hooking

Mobile security products can often detect rooted devices.
Mobile T1629 Impair Defenses

Mobile security software can typically detect if a device has been rooted or jailbroken and can inform the user, who can then take appropriate action.
.003 Disable or Modify Tools

Mobile security software can typically detect if a device has been rooted or jailbroken and can inform the user, who can then take appropriate action.