Adversaries may use legitimate remote access software, such as VNC, TeamViewer, AirDroid, AirMirror, etc., to establish an interactive command and control channel to target mobile devices.
Remote access applications may be installed and used post-compromise as an alternate communication channel for redundant access or as a way to establish an interactive remote session with the target device. They may also be used as a component of malware to establish a reverse connection to an adversary-controlled system or service. Installation of remote access tools may also include persistence.
| ID | Name | Description |
|---|---|---|
| S1094 | BRATA | |
| S1092 | Escobar |
Escobar can use VNC to remotely control an infected device.[2] |
| ID | Mitigation | Description |
|---|---|---|
| M1012 | Enterprise Policy |
When devices are enrolled in an EMM/MDM using device owner (iOS) or fully managed (Android) mode, the EMM/MDM can collect a list of installed applications on the device. An administrator can then act on, for example blocking, specific remote access applications from being installed on managed devices. |
| M1011 | User Guidance |
Users should be encouraged to be very careful with granting dangerous permissions, such as device administrator or access to device accessibility. |
| ID | Data Source | Data Component | Detects |
|---|---|---|---|
| DS0042 | User Interface | Permissions Request |
Remote access software typically requires many privileged permissions, such as accessibility services or device administrator. |