Obtain Device Cloud Backups

An adversary who is able to obtain unauthorized access to or misuse authorized access to cloud backup services (e.g. Google's Android backup service or Apple's iCloud) could use that access to obtain sensitive data stored in device backups. For example, the Elcomsoft Phone Breaker product advertises the ability to retrieve iOS backup data from Apple's iCloud [1]. Elcomsoft also describes [2] obtaining WhatsApp communication histories from backups stored in iCloud.

ID: T1470

Tactic Type:  Without Adversary Device Access

Tactic: Remote Service Effects

Platform:  Android, iOS

MTC ID:  ECO-0, ECO-1

Version: 1.0

Mitigations

MitigationDescription
User GuidanceEncourage users to protect their account credentials and to enable available multi-factor authentication options.

Detection

Google provides the ability for users to view their account activity. Apple iCloud also provides notifications to users of account activity.

References