1. Home
  2. Techniques
  3. Mobile
  4. Replication Through Removable Media

Replication Through Removable Media

Adversaries may move onto devices by exploiting or copying malware to devices connected via USB. In the case of Lateral Movement, adversaries may utilize the physical connection of a device to a compromised or malicious charging station or PC to bypass application store requirements and install malicious applications directly.[1] In the case of Initial Access, adversaries may attempt to exploit the device via the connection to gain access to data stored on the device.[2] Examples of this include:

  • Exploiting insecure bootloaders in a Nexus 6 or 6P device over USB and gaining the ability to perform actions including intercepting phone calls, intercepting network traffic, and obtaining the device physical location.[3]
  • Exploiting weakly-enforced security boundaries in Android devices such as the Google Pixel 2 over USB.[4]
  • Products from Cellebrite and Grayshift purportedly that can exploit some iOS devices using physical access to the data port to unlock the passcode.[5]
ID: T1458
Sub-techniques:  No sub-techniques
Tactic Type: Post-Adversary Device Access
Platforms: Android, iOS
MTC ID: PHY-1, PHY-2, STA-6
Version: 2.1
Created: 25 October 2017
Last Modified: 07 August 2023
Version Permalink

Procedure Examples

ID Name Description
S0315 DualToy

DualToy side loads malicious or risky apps to both Android and iOS devices via a USB connection.[6]
S0312 WireLurker

WireLurker monitors for iOS devices connected via USB to an infected OSX computer and installs downloaded third-party applications or automatically generated malicious applications onto the device.[7]

Mitigations

ID Mitigation Description
M1012 Enterprise Policy

Enterprise policies should prevent enabling USB debugging on Android devices unless specifically needed (e.g., if the device is used for application development).
M1003 Lock Bootloader

Users should ensure bootloaders are locked to prevent arbitrary operating system code from being flashed onto the device.
M1001 Security Updates

Security updates often contain patches for vulnerabilities.
M1006 Use Recent OS Version

iOS 11.4.1 and higher introduce USB Restricted Mode, which disables data access through the device's charging port under certain conditions (making the port only usable for power), likely preventing this technique from working.[8]
M1011 User Guidance

Users should be advised not to use public charging stations or computers to charge their devices. Instead, users should be issued a charger acquired from a trustworthy source. Users should be advised not to click on device prompts to trust attached computers unless absolutely necessary.

Detection

ID Data Source Data Component Detects
DS0013 Sensor Health Host Status

Mobile security products can often alert the user if their device is vulnerable to known exploits.

References

  1. Lau et al.. (2013). Mactans: Injecting Malware Into iOS Devices Via Malicious Chargers. Retrieved December 23, 2016.
  2. Brian Krebs. (2011, August 17). Beware of Juice-Jacking. Retrieved December 23, 2016.
  3. Roee Hay. (2017, January 5). Android Vulnerabilities: Attacking Nexus 6 and 6P Custom Boot Modes. Retrieved January 11, 2017.
  4. Jann Horn. (2018, September 10). OATmeal on the Universal Cereal Bus: Exploiting Android phones over USB. Retrieved September 18, 2018.
  1. Lucas Mearian. (2018, May 9). Two vendors now sell iPhone cracking technology – and police are buying. Retrieved September 21, 2018.
  2. Claud Xiao. (2016, September 13). DualToy: New Windows Trojan Sideloads Risky Apps to Android and iOS Devices. Retrieved January 24, 2017.
  3. Claud Xiao. (2014, November 5). WireLurker: A New Era in OS X and iOS Malware. Retrieved January 24, 2017.
  4. Oleg Afonin. (2018, September 20). iOS 12 Enhances USB Restricted Mode. Retrieved September 21, 2018.