Adversaries may exploit software vulnerabilities in order to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in an application, service, within the operating system software, or kernel itself to execute adversary-controlled code. Security constructions, such as permission levels, will often hinder access to information and use of certain techniques. Adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
When initially gaining access to a device, an adversary may be operating within a lower privileged process which will prevent them from accessing certain resources on the system. Vulnerabilities may exist, usually in operating system components and applications running at higher permissions, that can be exploited to gain higher levels of access on the system. This could enable someone to move from unprivileged or user- level permission to root permissions depending on the component that is vulnerable.
| ID | Name | Description |
|---|---|---|
| S1061 | AbstractEmu |
AbstractEmu can use rooting exploits to silently give itself permissions or install additional malware.[1] |
| S0440 | Agent Smith |
Agent Smith exploits known OS vulnerabilities, including Janus, to replace legitimate applications with malicious versions.[2] |
| S0293 | BrainTest |
Some original variants of BrainTest had the capability to automatically root some devices, but that behavior was not observed in later samples.[3] |
| S0550 | DoubleAgent |
DoubleAgent has used exploit tools to gain root, such as TowelRoot.[4] |
| S0420 | Dvmap |
Dvmap attempts to gain root access by using local exploits.[5] |
| S0405 | Exodus |
Exodus Two attempts to elevate privileges by using a modified version of the DirtyCow exploit.[6] |
| S0182 | FinFisher |
FinFisher comes packaged with ExynosAbuse, an Android exploit that can gain root privileges.[7] |
| S0290 | Gooligan | |
| S0322 | HummingBad |
HummingBad can exploit unfixed vulnerabilities in older Android versions to root victim phones.[9] |
| S0463 | INSOMNIA |
INSOMNIA exploits a WebKit vulnerability to achieve root access on the device.[10] |
| S0316 | Pegasus for Android |
Pegasus for Android attempts to exploit well-known Android OS vulnerabilities to escalate privileges.[11] |
| S0289 | Pegasus for iOS |
Pegasus for iOS exploits iOS vulnerabilities to escalate privileges.[12] |
| S1126 | Phenakite |
Phenakite has included exploits for jailbreaking infected devices.[13] |
| S0294 | ShiftyBug |
ShiftyBug is packed with at least eight publicly available exploits that can perform rooting.[14] |
| S0327 | Skygofree |
Skygofree has the capability to exploit several known vulnerabilities and escalate privileges.[15] |
| S0324 | SpyDealer |
SpyDealer uses the commercial rooting app Baidu Easy Root to gain root privilege and maintain persistence on the victim.[16] |
| S0494 | Zen |
Zen can obtain root access via a rooting trojan in its infection chain.[17] |
| ID | Mitigation | Description |
|---|---|---|
| M1002 | Attestation |
Device attestation can often detect jailbroken or rooted devices. |
| M1010 | Deploy Compromised Device Detection Method |
Mobile security products can potentially detect jailbroken or rooted devices. |
| M1001 | Security Updates |
Security updates often contain patches for vulnerabilities. |
| ID | Data Source | Data Component | Detects |
|---|---|---|---|
| DS0041 | Application Vetting | API Calls |
Application vetting services could potentially determine if an application contains code designed to exploit vulnerabilities. |
| DS0013 | Sensor Health | Host Status |
Mobile security products can potentially utilize device APIs to determine if a device has been rooted or jailbroken. |