Adversaries may use built-in command-line interfaces to interact with the device and execute commands. Android provides a bash shell that can be interacted with over the Android Debug Bridge (ADB) or programmatically using Java’s
Runtime package. On iOS, adversaries can interact with the underlying runtime shell if the device has been jailbroken.
If the device has been rooted or jailbroken, adversaries may locate and invoke a superuser binary to elevate their privileges and interact with the system as the root user. This dangerous level of permissions allows the adversary to run special commands and modify protected system files.
Application vetting services could detect invocations of methods that could be used to execute shell commands.
Device attestation can often detect jailbroken or rooted devices.
|M1010||Deploy Compromised Device Detection Method||
Mobile security products can often detect jailbroken or rooted devices.
Command-Line Interface execution can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.
- B. Leonard, N. Mehta. (2019, November 21). The Secret Life of Sandworms. Retrieved December 31, 2020.
- A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.