Check out the results from our first round of ATT&CK Evaluations at attackevals.mitre.org!

Mobile Techniques

Mobile Techniques: 66
ID Name Description
T1453 Abuse Accessibility Features

A malicious app could abuse Android's accessibility features to capture sensitive data or perform other malicious actions, as demonstrated in a proof of concept created by Skycure .

T1401 Abuse Device Administrator Access to Prevent Removal

A malicious application can request Device Administrator privileges. If the user grants the privileges, the application can take steps to make its removal more difficult.

T1435 Access Calendar Entries

An adversary could call standard operating system APIs from a malicious application to gather calendar entry data, or with escalated privileges could directly access files containing calendar data.

T1433 Access Call Log

On Android, an adversary could call standard operating system APIs from a malicious application to gather call log data, or with escalated privileges could directly access files containing call log data.

T1432 Access Contact List

An adversary could call standard operating system APIs from a malicious application to gather contact list (i.e., address book) data, or with escalated privileges could directly access files containing contact list data.

T1413 Access Sensitive Data in Device Logs

On versions of Android prior to 4.1, an adversary may use a malicious application that holds the READ_LOGS permission to obtain private keys, passwords, other credentials, or other sensitive data stored in the device's system log. On Android 4.1 and later, an adversary would need to attempt to perform an operating system privilege escalation attack to be able to access the log.

T1409 Access Sensitive Data or Credentials in Files

An adversary could attempt to read files that contain sensitive data or credentials (e.g., private keys, passwords, access tokens). This technique requires either escalated privileges or for the targeted app to have stored the data in an insecure manner (e.g., with insecure file permissions or in an insecure location such as an external storage directory).

T1438 Alternate Network Mediums

Adversaries can communicate using cellular networks rather than enterprise Wi-Fi in order to bypass enterprise network monitoring systems. Adversaries may also communicate using other non-Internet Protocol mediums such as SMS, NFC, or Bluetooth to bypass network monitoring systems.

T1416 Android Intent Hijacking

A malicious app can register to receive intents meant for other applications and may then be able to receive sensitive values such as OAuth authorization codes as described in .

T1402 App Auto-Start at Device Boot

An Android application can listen for the BOOT_COMPLETED broadcast, ensuring that the app's functionality will be activated every time the device starts up without having to wait for the device user to manually start the app.

T1418 Application Discovery

Adversaries may seek to identify all applications installed on the device. One use case for doing so is to identify the presence of endpoint security applications that may increase the adversary's risk of detection. Another use case is to identify the presence of applications that the adversary may wish to target.

T1427 Attack PC via USB Connection

With escalated privileges, an adversary could program the mobile device to impersonate USB devices such as input devices (keyboard and mouse), storage devices, and/or networking devices in order to attack a physically connected PC. Wang and Stavrou and Kamkar describe this technique. This technique has been demonstrated on Android, and we are unaware of any demonstrations on iOS.

T1414 Capture Clipboard Data

A malicious app or other attack vector could capture sensitive data stored in the device clipboard, for example passwords being copy-and-pasted from a password manager app.

T1412 Capture SMS Messages

A malicious application could capture sensitive data sent via SMS, including authentication credentials. SMS is frequently used to transmit codes used for multi-factor authentication.

T1436 Commonly Used Port

Adversaries may communicate over a commonly used port to bypass firewalls or network detection systems and to blend with normal network activity to avoid more detailed inspection. They may use commonly open ports such as

T1475 Deliver Malicious App via Authorized App Store

Malicious applications are a common attack vector used by adversaries to gain a presence on mobile devices. Mobile devices often are configured to allow application installation only from an authorized app store (e.g., Google Play Store or Apple App Store). An adversary may seek to place a malicious application in an authorized app store, enabling the application to be installed onto targeted devices.

T1476 Deliver Malicious App via Other Means

Malicious applications are a common attack vector used by adversaries to gain a presence on mobile devices. This technique describes installing a malicious application on targeted mobile devices without involving an authorized app store (e.g., Google Play Store or Apple App Store). Adversaries may wish to avoid placing malicious applications in an authorized app store due to increased potential risk of detection or other reasons. However, mobile devices often are configured to allow application installation only from an authorized app store which would prevent this technique from working.

T1419 Device Type Discovery

On Android, device type information is accessible to apps through the android.os.Build class . Device information could be used to target privilege escalation exploits.

T1408 Disguise Root/Jailbreak Indicators

An adversary could use knowledge of the techniques used by security software to evade detection. For example, some mobile security products perform compromised device detection by searching for particular artifacts such as an installed "su" binary, but that check could be evaded by naming the binary something else. Similarly, polymorphic code techniques could be used to evade signature-based detection as described by Rastogi et al. .

T1466 Downgrade to Insecure Protocols

An adversary could cause the mobile device to use less secure protocols, for example by jamming frequencies used by newer protocols such as LTE and only allowing older protocols such as GSM to communicate as described in NIST SP 800-187 . Use of less secure protocols may make communication easier to eavesdrop upon or manipulate.

T1407 Download New Code at Runtime

An app could download and execute dynamic code (not included in the original application package) after installation to evade static analysis techniques (and potentially dynamic analysis techniques) used for application vetting or application store review .

T1456 Drive-by Compromise

As described by ATT&CK for Enterprise, a drive-by compromise is when an adversary gains access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is targeted for exploitation. For example, a website may contain malicious media content intended to exploit vulnerabilities in media parsers as demonstrated by the Android Stagefright vulnerability .

T1439 Eavesdrop on Insecure Network Communication

If network traffic between the mobile device and remote servers is unencrypted or is encrypted in an insecure manner, then an adversary positioned on the network can eavesdrop on communication. For example, He et al. describe numerous healthcare-related applications that did not properly protect network communication.

T1471 Encrypt Files for Ransom

An adversary may encrypt files stored on the mobile device to prevent the user from accessing them, only unlocking access to the files after a ransom is paid. Without escalated privileges, the adversary is generally limited to only encrypting files in external/shared storage locations. This technique has been demonstrated on Android, and we are unaware of any demonstrated use on iOS.

T1428 Exploit Enterprise Resources

Adversaries may attempt to exploit enterprise servers, workstations, or other resources over the network. This technique may take advantage of the mobile device's access to an internal enterprise network either through local connectivity or through a Virtual Private Network (VPN).

T1404 Exploit OS Vulnerability

A malicious app can exploit unpatched vulnerabilities in the operating system to obtain escalated privileges.

T1449 Exploit SS7 to Redirect Phone Calls/SMS

An adversary could exploit signaling system vulnerabilities to redirect calls or text messages to a phone number under the attacker's control. The adversary could then act as a man-in-the-middle to intercept or manipulate the communication.

T1450 Exploit SS7 to Track Device Location

An adversary could exploit signaling system vulnerabilities to track the location of mobile devices.

T1405 Exploit TEE Vulnerability

A malicious app or other attack vector could be used to exploit vulnerabilities in code running within the Trusted Execution Environment (TEE) . The adversary could then obtain privileges held by the TEE potentially including the ability to access cryptographic keys or other sensitive data . Escalated operating system privileges may be first required in order to have the ability to attack the TEE . If not, privileges within the TEE can potentially be used to exploit the operating system .

T1458 Exploit via Charging Station or PC

If the mobile device is connected (typically via USB) to a charging station or a PC, for example to charge the device's battery, then a compromised or malicious charging station or PC could attempt to exploit the mobile device via the connection.

T1477 Exploit via Radio Interfaces

The mobile device may be targeted for exploitation through its interface to cellular networks or other radio interfaces.

T1420 File and Directory Discovery

On Android, command line tools or the Java file APIs can be used to enumerate file system contents. However, Linux file permissions and SELinux policies generally strongly restrict what can be accessed by apps (without taking advantage of a privilege escalation exploit). The contents of the external storage directory are generally visible, which could present concern if sensitive data is inappropriately stored there.

T1472 Generate Fraudulent Advertising Revenue

An adversary could seek to generate fraudulent advertising revenue from mobile devices, for example by triggering automatic clicks of advertising links without user involvement.

T1478 Install Insecure or Malicious Configuration

An adversary could attempt to install insecure or malicious configuration settings on the mobile device, through means such as phishing emails or text messages either directly containing the configuration settings as an attachment, or containing a web link to the configuration settings. The device user may be tricked into installing the configuration settings through social engineering techniques .

T1464 Jamming or Denial of Service

An attacker could jam radio signals (e.g. Wi-Fi, cellular, GPS) to prevent the mobile device from communicating.

T1422 Local Network Configuration Discovery

On Android, details of onboard network interfaces are accessible to apps through the java.net.NetworkInterface class . The Android TelephonyManager class can be used to gather related information such as the IMSI, IMEI, and phone number .

T1421 Local Network Connections Discovery

On Android, applications can use standard APIs to gather a list of network connections to and from the device. For example, the Network Connections app available in the Google Play Store advertises this functionality.

T1430 Location Tracking

An adversary could use a malicious or exploited application to surreptitiously track the device's physical location through use of standard operating system APIs.

T1446 Lock User Out of Device

An adversary may seek to lock the legitimate user out of the device, for example until a ransom is paid.

T1461 Lockscreen Bypass

An adversary with physical access to a mobile device may seek to bypass the device's lockscreen.

T1417 Malicious Third Party Keyboard App

A malicious app can register as a device keyboard and intercept keypresses containing sensitive values such as usernames and passwords. Zeltser describes these risks.

T1452 Manipulate App Store Rankings or Ratings

An adversary could use access to a compromised device's credentials to attempt to manipulate app store rankings or ratings by triggering application downloads or posting fake reviews of applications. This technique likely requires privileged access (a rooted or jailbroken device).

T1463 Manipulate Device Communication

If network traffic between the mobile device and a remote server is not securely protected, then an attacker positioned on the network may be able to manipulate network communication without being detected. For example, FireEye researchers found in 2014 that 68% of the top 1,000 free applications in the Google Play Store had at least one Transport Layer Security (TLS) implementation vulnerability potentially opening the applications' network traffic to man-in-the-middle attacks .

T1429 Microphone or Camera Recordings

An adversary could use a malicious or exploited application to surreptitiously record activities using the device microphone and/or camera through use of standard operating system APIs.

T1403 Modify cached executable code

ART (the Android Runtime) compiles optimized code on the device itself to improve performance. If an adversary can escalate privileges, he or she may be able to use those privileges to modify the cached code in order to hide malicious behavior. Since the code is compiled on the device, it may not receive the same level of integrity checks that are provided to code running in the system partition.

T1398 Modify OS Kernel or Boot Partition

If an adversary can escalate privileges, he or she may be able to use those privileges to place malicious code in the device kernel or other boot partition components, where the code may evade detection, may persist after device resets, and may not be removable by the device user. In some cases (e.g., the Samsung Knox warranty bit as described under Detection), the attack may be detected but could result in the device being placed in a state that no longer allows certain functionality.

T1400 Modify System Partition

If an adversary can escalate privileges, he or she may be able to use those privileges to place malicious code in the device system partition, where it may persist after device resets and may not be easily removed by the device user.

T1399 Modify Trusted Execution Environment

If an adversary can escalate privileges, he or she may be able to use those privileges to place malicious code in the device's Trusted Execution Environment (TEE) or other similar isolated execution environment where the code can evade detection, may persist after device resets, and may not be removable by the device user. Running code within the TEE may provide an adversary with the ability to monitor or tamper with overall device behavior.

T1423 Network Service Scanning

Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation. Methods to acquire this information include port scans and vulnerability scans from the mobile device. This technique may take advantage of the mobile device's access to an internal enterprise network either through local connectivity or through a Virtual Private Network (VPN).

T1410 Network Traffic Capture or Redirection

An adversary may capture network traffic to and from the device to obtain credentials or other sensitive data, or redirect network traffic to flow through an adversary-controlled gateway to do the same.

T1406 Obfuscated or Encrypted Payload

An app could contain malicious code in obfuscated or encrypted form, then deobfuscate or decrypt the code at runtime to evade many app vetting techniques, as described in .

T1470 Obtain Device Cloud Backups

An adversary who is able to obtain unauthorized access to or misuse authorized access to cloud backup services (e.g. Google's Android backup service or Apple's iCloud) could use that access to obtain sensitive data stored in device backups. For example, the Elcomsoft Phone Breaker product advertises the ability to retrieve iOS backup data from Apple's iCloud . Elcomsoft also describes obtaining WhatsApp communication histories from backups stored in iCloud.

T1448 Premium SMS Toll Fraud

A malicious app could use standard Android APIs to send SMS messages. SMS messages could potentially be sent to premium numbers that charge the device owner and generate revenue for an adversary, for example as described by Lookout in .

T1424 Process Discovery

On Android versions prior to 5, applications can observe information about other processes that are running through methods in the ActivityManager class. On Android versions prior to 7, applications can obtain this information by executing the ps command, or by examining the /proc directory. Starting in Android version 7, use of the Linux kernel's hidepid feature prevents applications (without escalated privileges) from accessing this information .

T1468 Remotely Track Device Without Authorization

An adversary who is able to obtain unauthorized access to or misuse authorized access to cloud services (e.g. Google's Android Device Manager or Apple iCloud's Find my iPhone) or to an enterprise mobility management (EMM) / mobile device management (MDM) server console could use that access to track mobile devices.

T1469 Remotely Wipe Data Without Authorization

An adversary who is able to obtain unauthorized access to or misuse authorized access to cloud services (e.g. Google's Android Device Manager or Apple iCloud's Find my iPhone) or to an EMM console could use that access to wipe enrolled devices .

T1444 Repackaged Application

An adversary could download a legitimate app, disassemble it, add malicious code, and then reassemble the app, for example as described by Zhou and Jiang in . The app would appear to be the original app but contain additional malicious functionality. The adversary could then publish this app to app stores or use another delivery technique.

T1467 Rogue Cellular Base Station

An adversary could set up a rogue cellular base station and then use it to eavesdrop on or manipulate cellular device communication. For example, Ritter and DePerry of iSEC Partners demonstrated this technique using a compromised cellular femtocell at Black Hat USA 2013 .

T1465 Rogue Wi-Fi Access Points

An adversary could set up unauthorized Wi-Fi access points or compromise existing access points and, if the device connects to them, carry out network-based attacks such as eavesdropping on or modifying network communication as described in NIST SP 800-153 .

T1451 SIM Card Swap

An adversary could convince the mobile network operator (e.g. through social networking, forged identification, or insider attacks performed by trusted employees) to issue a new SIM card and associate it with an existing phone number and account . The adversary could then obtain SMS messages or hijack phone calls intended for someone else .

T1437 Standard Application Layer Protocol

Adversaries may communicate using a common, standardized application layer protocol such as HTTP, HTTPS, SMTP, or DNS to avoid detection by blending in with existing traffic.

T1474 Supply Chain Compromise

As further described in ATT&CK for Enterprise, supply chain compromise is the manipulation of products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise. Somewhat related, adversaries could also identify and exploit inadvertently present vulnerabilities. In many cases, it may be difficult to be certain whether exploitable functionality is due to malicious intent or simply inadvertent mistake.

T1426 System Information Discovery

An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, and architecture.

T1415 URL Scheme Hijacking

An iOS application may be able to maliciously claim a URL scheme, allowing it to intercept calls that are meant for a different application. This technique, for example, could be used to capture OAuth authorization codes as described in or to phish user credentials as described in . Related potential security implications are described in . FireEye researchers describe URL scheme hijacking in a blog post , including evidence of its use.

T1411 User Interface Spoofing

User Interface Spoofing can be used to trick users into providing sensitive information, such as account credentials, bank account information, or Personally Identifiable Information (PII) to an unintended entity.

T1447 Wipe Device Data

A malicious application could abuse Android device administrator access to wipe device contents, for example if a ransom is not paid.