TA0027 Initial Access
The adversary is trying to get into your device.
The initial access tactic represents the vectors adversaries use to gain an initial foothold onto a mobile device.
|Created||17 October 2018|
|Last Modified||27 January 2020|
|T1475||Deliver Malicious App via Authorized App Store||Malicious applications are a common attack vector used by adversaries to gain a presence on mobile devices. Mobile devices often are configured to allow application installation only from an authorized app store (e.g., Google Play Store or Apple App Store). An adversary may seek to place a malicious application in an authorized app store, enabling the application to be installed onto targeted devices.|
|T1476||Deliver Malicious App via Other Means||Malicious applications are a common attack vector used by adversaries to gain a presence on mobile devices. This technique describes installing a malicious application on targeted mobile devices without involving an authorized app store (e.g., Google Play Store or Apple App Store). Adversaries may wish to avoid placing malicious applications in an authorized app store due to increased potential risk of detection or other reasons. However, mobile devices often are configured to allow application installation only from an authorized app store which would prevent this technique from working.|
|T1456||Drive-by Compromise||As described by Drive-by Compromise, a drive-by compromise is when an adversary gains access to a system through a user visiting a website over the normal course of browsing. With this technique, the user’s web browser is targeted for exploitation. For example, a website may contain malicious media content intended to exploit vulnerabilities in media parsers as demonstrated by the Android Stagefright vulnerability .|
|T1458||Exploit via Charging Station or PC||If the mobile device is connected (typically via USB) to a charging station or a PC, for example to charge the device’s battery, then a compromised or malicious charging station or PC could attempt to exploit the mobile device via the connection.|
|T1477||Exploit via Radio Interfaces||The mobile device may be targeted for exploitation through its interface to cellular networks or other radio interfaces.|
|T1478||Install Insecure or Malicious Configuration||An adversary could attempt to install insecure or malicious configuration settings on the mobile device, through means such as phishing emails or text messages either directly containing the configuration settings as an attachment, or containing a web link to the configuration settings. The device user may be tricked into installing the configuration settings through social engineering techniques .|
|T1461||Lockscreen Bypass||An adversary with physical access to a mobile device may seek to bypass the device’s lockscreen.|
|T1444||Masquerade as Legitimate Application||An adversary could distribute developed malware by masquerading the malware as a legitimate application. This can be done in two different ways: by embedding the malware in a legitimate application, or by pretending to be a legitimate application.|
|T1474||Supply Chain Compromise||As further described in Supply Chain Compromise, supply chain compromise is the manipulation of products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise. Somewhat related, adversaries could also identify and exploit inadvertently present vulnerabilities. In many cases, it may be difficult to be certain whether exploitable functionality is due to malicious intent or simply inadvertent mistake.|