T1404 Exploit OS Vulnerability
A malicious app can exploit unpatched vulnerabilities in the operating system to obtain escalated privileges.
Item | Value |
---|---|
ID | T1404 |
Sub-techniques | |
Tactics | TA0029 |
Platforms | Android, iOS |
Version | 1.0 |
Created | 25 October 2017 |
Last Modified | 17 October 2018 |
Procedure Examples
ID | Name | Description |
---|---|---|
S0440 | Agent Smith | Agent Smith exploits known OS vulnerabilities, including Janus, to replace legitimate applications with malicious versions.12 |
S0293 | BrainTest | Some original variants of BrainTest had the capability to automatically root some devices, but that behavior was not observed in later samples.5 |
S0550 | DoubleAgent | DoubleAgent has used exploit tools to gain root, such as TowelRoot.15 |
S0420 | Dvmap | Dvmap attempts to gain root access by using local exploits.11 |
S0405 | Exodus | Exodus Two attempts to elevate privileges by using a modified version of the DirtyCow exploit.10 |
S0182 | FinFisher | FinFisher comes packaged with ExynosAbuse, an Android exploit that can gain root privileges.9 |
S0290 | Gooligan | Gooligan executes Android root exploits.3 |
S0322 | HummingBad | HummingBad can exploit unfixed vulnerabilities in older Android versions to root victim phones.8 |
S0463 | INSOMNIA | INSOMNIA exploits a WebKit vulnerability to achieve root access on the device.13 |
S0316 | Pegasus for Android | Pegasus for Android attempts to exploit well-known Android OS vulnerabilities to escalate privileges.4 |
S0289 | Pegasus for iOS | Pegasus for iOS exploits iOS vulnerabilities to escalate privileges.7 |
S0294 | ShiftyBug | ShiftyBug is packed with at least eight publicly available exploits that can perform rooting.1 |
S0327 | Skygofree | Skygofree has the capability to exploit several known vulnerabilities and escalate privileges.2 |
S0324 | SpyDealer | SpyDealer uses the commercial rooting app Baidu Easy Root to gain root privilege and maintain persistence on the victim.6 |
S0494 | Zen | Zen can obtain root access via a rooting trojan in its infection chain.14 |
Mitigations
ID | Mitigation | Description |
---|---|---|
M1005 | Application Vetting | Application vetting may be able to identify the presence of exploit code within applications. |
M1001 | Security Updates | - |
M1006 | Use Recent OS Version | - |
References
-
Michael Bentley. (2015, November 4). Lookout discovers new trojanized adware; 20K popular apps caught in the crossfire. Retrieved December 21, 2016. ↩
-
Nikita Buchka and Alexey Firsh. (2018, January 16). Skygofree: Following in the footsteps of HackingTeam. Retrieved September 24, 2018. ↩
-
Check Point Research Team. (2016, November 30). More Than 1 Million Google Accounts Breached by Gooligan. Retrieved December 12, 2016. ↩
-
Mike Murray. (2017, April 3). Pegasus for Android: the other side of the story emerges. Retrieved April 16, 2017. ↩
-
Chris Dehghanpoor. (2016, January 6). Brain Test re-emerges: 13 apps found in Google Play Read more: Brain Test re-emerges: 13 apps found in Google Play. Retrieved December 21, 2016. ↩
-
Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018. ↩
-
Lookout. (2016). Technical Analysis of Pegasus Spyware. Retrieved December 12, 2016. ↩
-
Dan Goodin. (2016, July 7). 10 million Android phones infected by all-powerful auto-rooting apps. Retrieved January 24, 2017. ↩
-
Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018. ↩
-
Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019. ↩
-
R. Unuchek. (2017, June 8). Dvmap: the first Android malware with code injection. Retrieved December 10, 2019. ↩
-
A. Hazum, F. He, I. Marom, B. Melnykov, A. Polkovnichenko. (2019, July 10). Agent Smith: A New Species of Mobile Malware. Retrieved May 7, 2020. ↩
-
A. Case, D. Lassalle, M. Meltzer, S. Koessel, et al.. (2020, April 21). Evil Eye Threat Actor Resurfaces with iOS Exploit and Updated Implant. Retrieved June 2, 2020. ↩
-
Siewierski, L. (2019, January 11). PHA Family Highlights: Zen and its cousins . Retrieved July 27, 2020. ↩
-
A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020. ↩