An adversary may encrypt files stored on the mobile device to prevent the user from accessing them, for example with the intent of only unlocking access to the files after a ransom is paid. Without escalated privileges, the adversary is generally limited to only encrypting files in external/shared storage locations. This technique has been demonstrated on Android. We are unaware of any demonstrated use on iOS.
|T1472||Generate Fraudulent Advertising Revenue||
An adversary could seek to generate fraudulent advertising revenue from mobile devices, for example by triggering automatic clicks of advertising links without user involvement.
|T1446||Lock User Out of Device||
An adversary may seek to lock the legitimate user out of the device, for example until a ransom is paid.
|T1452||Manipulate App Store Rankings or Ratings||
An adversary could use access to a compromised device's credentials to attempt to manipulate app store rankings or ratings by triggering application downloads or posting fake reviews of applications. This technique likely requires privileged access (a rooted or jailbroken device).
|T1448||Premium SMS Toll Fraud||
A malicious app could use standard Android APIs to send SMS messages. SMS messages could potentially be sent to premium numbers that charge the device owner and generate revenue for an adversary.
|T1447||Wipe Device Data||
A malicious application could abuse Android device administrator access to wipe device contents, for example if a ransom is not paid.