Exploitation for Initial Access

Adversaries may exploit software vulnerabilities to gain initial access to a mobile device.

This can be accomplished in a variety of ways. Vulnerabilities may be present in applications, services, the underlying operating system, or in the kernel itself. Several well-known mobile device exploits exist, including FORCEDENTRY, StageFright, and BlueBorne. Further, some exploits may be possible to exploit without any user interaction (zero-click), making them particularly dangerous. Mobile operating system vendors are typically very quick to patch such critical bugs, ensuring only a small window where they can be exploited.

ID: T1664
Sub-techniques:  No sub-techniques
Tactic: Initial Access
Platforms: Android, iOS
Version: 1.0
Created: 05 December 2023
Last Modified: 05 December 2023

Procedure Examples

ID Name Description

BRATA has abused WhatsApp vulnerability CVE-2019-3568 to achieve initial access.[1]

S0289 Pegasus for iOS

Pegasus for iOS has used zero-day iMessage exploits for initial access.[2]


ID Mitigation Description
M1058 Antivirus/Antimalware

Mobile security products can potentially detect if a device is vulnerable to a known exploit and can alert the user to update their device.

M1001 Security Updates

Security updates frequently contain patches for known software vulnerabilities.


ID Data Source Data Component Detects
DS0013 Sensor Health Host Status

Mobile security products can often alert the user if their device is vulnerable to known exploits.