Modify Trusted Execution Environment

If an adversary can escalate privileges, he or she may be able to use those privileges to place malicious code in the device's Trusted Execution Environment (TEE) or other similar isolated execution environment where the code can evade detection, may persist after device resets, and may not be removable by the device user. Running code within the TEE may provide an adversary with the ability to monitor or tamper with overall device behavior.[1]

ID: T1399

Tactic Type:  Post-Adversary Device Access

Tactic: Defense Evasion, Persistence

Platform:  Android

MTC ID:  APP-27

Version: 1.1

Mitigations

MitigationDescription
Security Updates

Detection

Devices may perform cryptographic integrity checks of code running within the TEE at boot time.

iOS devices will fail to boot if the software running within the Secure Enclave does not pass signature verification.[2]

References