| mobile |
T1453 |
Abuse Accessibility Features |
First, users should be wary of clicking on suspicious text messages, links and emails. Secondly, users should be wary of granting applications accessibility features. Users may check applications that have been granted accessibility features by going to Settings, then Accessibility. Finally, users should be wary of downloading applications; although applications may be on the Google Play Store, they may not be benign (see Application Versioning). |
| mobile |
T1626 |
Abuse Elevation Control Mechanism |
- |
| mobile |
T1626.001 |
Device Administrator Permissions |
Users should scrutinize every device administration permission request. If the request is not expected or the user does not recognize the application, the application should be uninstalled immediately. |
| mobile |
T1517 |
Access Notifications |
Users should be wary of granting applications dangerous or privacy-intrusive permissions, such as access to notifications. |
| mobile |
T1640 |
Account Access Removal |
Users should be taught that Device Administrator permissions are very dangerous, and very few applications need it. |
| mobile |
T1429 |
Audio Capture |
Users should be wary of granting applications dangerous or privacy-intrusive permissions, such as access to microphone or audio output. |
| mobile |
T1616 |
Call Control |
Users should be encouraged to be very careful with what applications they grant phone call-based permissions to. Further, users should not change their default call handler to applications they do not recognize. |
| mobile |
T1662 |
Data Destruction |
Users should be trained on what device administrator permission request prompts look like, and how to avoid granting permissions on phishing popups. |
| mobile |
T1521 |
Encrypted Channel |
- |
| mobile |
T1521.003 |
SSL Pinning |
Users should be advised to not trust or install self-signed certificates. |
| mobile |
T1642 |
Endpoint Denial of Service |
Users should be cautioned against granting administrative access to applications. |
| mobile |
T1627 |
Execution Guardrails |
Users should be advised to be extra scrutinous of applications that request location or sensitive phone information permissions, and to deny any permissions requests for applications they do not recognize. |
| mobile |
T1627.001 |
Geofencing |
Users should be advised to be extra scrutinous of applications that request location, and to deny any permissions requests for applications they do not recognize. |
| mobile |
T1658 |
Exploitation for Client Execution |
Users should be wary of iMessages from unknown senders. Additionally, users should be instructed not to open unrecognized links or other attachments in text messages. |
| mobile |
T1541 |
Foreground Persistence |
If a user sees a persistent notification they do not recognize, they should uninstall the source application and look for other unwanted applications or anomalies. |
| mobile |
T1643 |
Generate Traffic from Victim |
Users should be advised that applications generally do not require permission to send SMS messages. |
| mobile |
T1628 |
Hide Artifacts |
- |
| mobile |
T1628.001 |
Suppress Application Icon |
Users should be shown what a synthetic activity looks like so they can scrutinize them in the future. |
| mobile |
T1629 |
Impair Defenses |
Providing user guidance around commonly abused features, such as the modal that requests for administrator permissions, should aid in preventing impairing defenses. |
| mobile |
T1629.001 |
Prevent Application Removal |
Users should be warned against granting access to accessibility features and device administration services, and to carefully scrutinize applications that request these dangerous permissions. Users should be taught how to boot into safe mode to uninstall malicious applications that may be interfering with the uninstallation process. |
| mobile |
T1629.003 |
Disable or Modify Tools |
Users should be taught the dangers of rooting or jailbreaking their device. |
| mobile |
T1630 |
Indicator Removal on Host |
Inform users that device rooting or granting unnecessary access to the accessibility service presents security risks that could be taken advantage of without their knowledge. |
| mobile |
T1630.001 |
Uninstall Malicious Application |
Inform users that device rooting or granting unnecessary access to the accessibility service presents security risks that could be taken advantage of without their knowledge. |
| mobile |
T1630.002 |
File Deletion |
Users should be trained on what device administrator permission request prompts look like, and how to avoid granting permissions on phishing popups. |
| mobile |
T1417 |
Input Capture |
Users should be wary of granting applications dangerous or privacy-intrusive permissions, such as keyboard registration or accessibility service access. |
| mobile |
T1417.001 |
Keylogging |
Users should be wary of granting applications dangerous or privacy-intrusive permissions, such as keyboard registration or accessibility service access. |
| mobile |
T1516 |
Input Injection |
Users should be warned against granting access to accessibility features, and to carefully scrutinize applications that request this dangerous permission. |
| mobile |
T1676 |
Linked Devices |
For Android devices, users should be advised to enable Google Play Protect, which checks the device itself and the applications for malicious behavior. For iOS devices, users who are concerned about being targeted should consider enabling Lockdown Mode, which provides extreme protection of the device as well as data stored and transmitted. |
| In general, users should be advised against scanning QR codes and/or clicking on suspicious links or text messages, which may masquerade as device-linking instructions by Signal or WhatsApp. |
|
|
|
|
|
|
|
| mobile |
T1430 |
Location Tracking |
Users should be wary of granting applications dangerous or privacy-intrusive permissions, such as access to location information. Users should also protect their account credentials and enable multi-factor authentication options when available. |
| mobile |
T1430.001 |
Remote Device Management Services |
Users should protect their account credentials and enable multi-factor authentication options when available. |
| mobile |
T1655 |
Masquerading |
Users should be encouraged to only install apps from authorized app stores, which are less likely to contain malicious repackaged apps. |
| mobile |
T1655.001 |
Match Legitimate Name or Location |
Users should be encouraged to only install apps from authorized app stores, which are less likely to contain malicious repackaged apps. |
| mobile |
T1644 |
Out of Band Data |
Users should be instructed to not grant applications unexpected or unnecessary permissions. |
| mobile |
T1660 |
Phishing |
Users can be trained to identify social engineering techniques and phishing emails. |
| mobile |
T1636 |
Protected User Data |
Users should be taught the danger behind granting unnecessary permissions to an application and should be advised to use extra scrutiny when an application requests them. |
| mobile |
T1636.001 |
Calendar Entries |
Calendar access is an uncommonly needed permission, so users should be instructed to use extra scrutiny when granting access to their device calendar. |
| mobile |
T1636.002 |
Call Log |
Call Log access an uncommonly needed permission, so users should be instructedto use extra scrutiny when granting access to their call logs. |
| mobile |
T1636.003 |
Contact List |
Contact list access is an uncommonly needed permission, so users should be instructed to use extra scrutiny when granting access to their contact list. |
| mobile |
T1636.004 |
SMS Messages |
Access to SMS messages is an uncommonly needed permission, so users should be instructed to use extra scrutiny when granting access to their SMS messages. |
| mobile |
T1636.005 |
Accounts |
Access to accounts is an uncommonly needed permission, so users should be instructed to use extra scrutiny when granting access to their accounts. |
| mobile |
T1663 |
Remote Access Software |
Users should be encouraged to be very careful with granting dangerous permissions, such as device administrator or access to device accessibility. |
| mobile |
T1458 |
Replication Through Removable Media |
Users should be advised not to use public charging stations or computers to charge their devices. Instead, users should be issued a charger acquired from a trustworthy source. Users should be advised not to click on device prompts to trust attached computers unless absolutely necessary. |
| mobile |
T1513 |
Screen Capture |
Users should be advised not to grant consent for screen captures to occur unless expected. Users should avoid enabling USB debugging (Android Debug Bridge) unless explicitly required. |
| mobile |
T1451 |
SIM Card Swap |
The user should become familiar with social engineering tactics that ask for Personally Identifiable Information (PII). Additionally, the user should include the use of hardware tokens, biometrics, and other non-SMS based authentication mechanisms where possible. Finally, the user should enable SIM swapping protections offered by the mobile carrier, such as setting up a PIN or password to authorize any changes to the account. |
| mobile |
T1582 |
SMS Control |
Users should be encouraged to be very careful with what applications they grant SMS access to. Further, users should not change their default SMS handler to applications they do not recognize. |
| mobile |
T1418 |
Software Discovery |
iOS users should be instructed to not download applications from unofficial sources, as applications distributed via the Apple App Store cannot list installed applications on a device. |
| mobile |
T1418.001 |
Security Software Discovery |
iOS users should be instructed to not download applications from unofficial sources, as applications distributed via the Apple App Store cannot list installed applications on a device. |
| mobile |
T1635 |
Steal Application Access Token |
Users should be instructed to not open links in applications they don’t recognize. |
| mobile |
T1635.001 |
URI Hijacking |
Users should be instructed to not open links in applications they don’t recognize. |
| mobile |
T1632 |
Subvert Trust Controls |
Typically, insecure or malicious configuration settings are not installed without the user’s consent. Users should be advised not to install unexpected configuration settings (CA certificates, iOS Configuration Profiles, Mobile Device Management server provisioning). |
| mobile |
T1632.001 |
Code Signing Policy Modification |
Typically, insecure or malicious configuration settings are not installed without the user’s consent. Users should be advised not to install unexpected configuration settings (CA certificates, iOS Configuration Profiles, Mobile Device Management server provisioning). |
| mobile |
T1670 |
Virtualization Solution |
Users should be encouraged to only install apps from authorized app stores, which are less likely to contain malicious applications. |