The sub-techniques beta is now live! Read the release blog post for more info.

Remotely Track Device Without Authorization

An adversary who is able to obtain unauthorized access to or misuse authorized access to cloud services (e.g. Google's Android Device Manager or Apple iCloud's Find my iPhone) or to an enterprise mobility management (EMM) / mobile device management (MDM) server console could use that access to track mobile devices.[1]

ID: T1468
Tactic Type: Without Adversary Device Access
Tactic: Remote Service Effects
Platform: Android, iOS
MTC ID: ECO-5, EMM-7
Version: 1.1
Created: 25 October 2017
Last Modified: 03 February 2019

Mitigations

Mitigation Description
User Guidance

Encourage users to protect their account credentials and to enable available multi-factor authentication options.

Detection

Google sends a notification to the device when Android Device Manager is used to locate it. Additionally, Google provides the ability for users to view their general account activity. Apple iCloud also provides notifications to users of account activity.

References