Exploit OS Vulnerability

A malicious app can exploit unpatched vulnerabilities in the operating system to obtain escalated privileges.

ID: T1404
Sub-techniques:  No sub-techniques
Tactic Type: Post-Adversary Device Access
Platforms: Android, iOS
Version: 1.0
Created: 25 October 2017
Last Modified: 17 October 2018

Procedure Examples

ID Name Description
S0440 Agent Smith

Agent Smith exploits known OS vulnerabilities, including Janus, to replace legitimate applications with malicious versions.[1]

S0293 BrainTest

Some original variants of BrainTest had the capability to automatically root some devices, but that behavior was not observed in later samples.[2]

S0550 DoubleAgent

DoubleAgent has used exploit tools to gain root, such as TowelRoot.[3]

S0420 Dvmap

Dvmap attempts to gain root access by using local exploits.[4]

S0405 Exodus

Exodus Two attempts to elevate privileges by using a modified version of the DirtyCow exploit.[5]

S0182 FinFisher

FinFisher comes packaged with ExynosAbuse, an Android exploit that can gain root privileges.[6]

S0290 Gooligan

Gooligan executes Android root exploits.[7]

S0322 HummingBad

HummingBad can exploit unfixed vulnerabilities in older Android versions to root victim phones.[8]


INSOMNIA exploits a WebKit vulnerability to achieve root access on the device.[9]

S0316 Pegasus for Android

Pegasus for Android attempts to exploit well-known Android OS vulnerabilities to escalate privileges.[10]

S0289 Pegasus for iOS

Pegasus for iOS exploits iOS vulnerabilities to escalate privileges.[11]

S0294 ShiftyBug

ShiftyBug is packed with at least eight publicly available exploits that can perform rooting.[12]

S0327 Skygofree

Skygofree has the capability to exploit several known vulnerabilities and escalate privileges.[13]

S0324 SpyDealer

SpyDealer uses the commercial rooting app Baidu Easy Root to gain root privilege and maintain persistence on the victim.[14]

S0494 Zen

Zen can obtain root access via a rooting trojan in its infection chain.[15]


ID Mitigation Description
M1005 Application Vetting

Application vetting may be able to identify the presence of exploit code within applications.

M1001 Security Updates
M1006 Use Recent OS Version