Remote Access Software

Adversaries may use legitimate remote access software, such as VNC, TeamViewer, AirDroid, AirMirror, etc., to establish an interactive command and control channel to target mobile devices.

Remote access applications may be installed and used post-compromise as an alternate communication channel for redundant access or as a way to establish an interactive remote session with the target device. They may also be used as a component of malware to establish a reverse connection to an adversary-controlled system or service. Installation of remote access tools may also include persistence.

ID: T1663
Sub-techniques:  No sub-techniques
Platforms: Android, iOS
Version: 1.0
Created: 25 September 2023
Last Modified: 25 September 2023

Procedure Examples

ID Name Description

BRATA can view a device through VNC.[1]

S1092 Escobar

Escobar can use VNC to remotely control an infected device.[2]


ID Mitigation Description
M1012 Enterprise Policy

When devices are enrolled in an EMM/MDM using device owner (iOS) or fully managed (Android) mode, the EMM/MDM can collect a list of installed applications on the device. An administrator can then act on, for example blocking, specific remote access applications from being installed on managed devices.

M1011 User Guidance

Users should be encouraged to be very careful with granting dangerous permissions, such as device administrator or access to device accessibility.


ID Data Source Data Component Detects
DS0042 User Interface Permissions Request

Remote access software typically requires many privileged permissions, such as accessibility services or device administrator.