Modify Trusted Execution Environment

If an adversary can escalate privileges, he or she may be able to use those privileges to place malicious code in the device's Trusted Execution Environment (TEE) or other similar isolated execution environment where the code can evade detection, may persist after device resets, and may not be removable by the device user. Running code within the TEE may provide an adversary with the ability to monitor or tamper with overall device behavior.[1]

ID: T1399
Sub-techniques:  No sub-techniques
Tactic Type: Post-Adversary Device Access
Tactics: Defense Evasion, Persistence
Platforms: Android
MTC ID: APP-27
Version: 1.1
Created: 25 October 2017
Last Modified: 03 February 2019

Mitigations

Mitigation Description
Security Updates

Detection

Devices may perform cryptographic integrity checks of code running within the TEE at boot time.

iOS devices will fail to boot if the software running within the Secure Enclave does not pass signature verification.[2]

References