Skip to content

T1404 Exploitation for Privilege Escalation

Adversaries may exploit software vulnerabilities in order to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in an application, service, within the operating system software, or kernel itself to execute adversary-controlled code. Security constructions, such as permission levels, will often hinder access to information and use of certain techniques. Adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.

When initially gaining access to a device, an adversary may be operating within a lower privileged process which will prevent them from accessing certain resources on the system. Vulnerabilities may exist, usually in operating system components and applications running at higher permissions, that can be exploited to gain higher levels of access on the system. This could enable someone to move from unprivileged or user- level permission to root permissions depending on the component that is vulnerable.

Item Value
ID T1404
Sub-techniques
Tactics TA0029
Platforms Android, iOS
Version 2.1
Created 25 October 2017
Last Modified 24 October 2025

Procedure Examples

ID Name Description
S1061 AbstractEmu AbstractEmu can use rooting exploits to silently give itself permissions or install additional malware.3
S0440 Agent Smith Agent Smith exploits known OS vulnerabilities, including Janus, to replace legitimate applications with malicious versions.8
S0293 BrainTest Some original variants of BrainTest had the capability to automatically root some devices, but that behavior was not observed in later samples.1
S0550 DoubleAgent DoubleAgent has used exploit tools to gain root, such as TowelRoot.9
S0420 Dvmap Dvmap attempts to gain root access by using local exploits.12
S0405 Exodus Exodus Two attempts to elevate privileges by using a modified version of the DirtyCow exploit.5
S0182 FinFisher FinFisher comes packaged with ExynosAbuse, an Android exploit that can gain root privileges.11
S0290 Gooligan Gooligan executes Android root exploits.10
S0322 HummingBad HummingBad can exploit unfixed vulnerabilities in older Android versions to root victim phones.13
S0463 INSOMNIA INSOMNIA exploits a WebKit vulnerability to achieve root access on the device.2
S1185 LightSpy LightSpy uses the embedded time_waste function to bypass standard iOS API restrictions and enable unauthorized audio/video recording. This exploit injects a .dylib into the SpringBoard process, allowing persistent access to audio and video capture.1617
C0054 Operation Triangulation During Operation Triangulation, the threat actors exploited a kernel vulnerability to obtain root privileges.20
S0316 Pegasus for Android Pegasus for Android attempts to exploit well-known Android OS vulnerabilities to escalate privileges.6
S0289 Pegasus for iOS Pegasus for iOS exploits iOS vulnerabilities to escalate privileges.7
S1126 Phenakite Phenakite has included exploits for jailbreaking infected devices.18
S0294 ShiftyBug ShiftyBug is packed with at least eight publicly available exploits that can perform rooting.19
S0327 Skygofree Skygofree has the capability to exploit several known vulnerabilities and escalate privileges.15
S0324 SpyDealer SpyDealer uses the commercial rooting app Baidu Easy Root to gain root privilege and maintain persistence on the victim.14
S0494 Zen Zen can obtain root access via a rooting trojan in its infection chain.4

Mitigations

ID Mitigation Description
M1002 Attestation Device attestation can often detect jailbroken or rooted devices.
M1010 Deploy Compromised Device Detection Method Mobile security products can potentially detect jailbroken or rooted devices.
M1001 Security Updates Security updates often contain patches for vulnerabilities.

References

  1. Chris Dehghanpoor. (2016, January 6). Brain Test re-emerges: 13 apps found in Google Play Read more: Brain Test re-emerges: 13 apps found in Google Play. Retrieved December 21, 2016. 

  2. A. Case, D. Lassalle, M. Meltzer, S. Koessel, et al.. (2020, April 21). Evil Eye Threat Actor Resurfaces with iOS Exploit and Updated Implant. Retrieved June 2, 2020. 

  3. P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023. 

  4. Siewierski, L. (2019, January 11). PHA Family Highlights: Zen and its cousins . Retrieved July 27, 2020. 

  5. Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved November 17, 2024. 

  6. Mike Murray. (2017, April 3). Pegasus for Android: the other side of the story emerges. Retrieved April 16, 2017. 

  7. Lookout. (2016). Technical Analysis of Pegasus Spyware. Retrieved December 12, 2016. 

  8. A. Hazum, F. He, I. Marom, B. Melnykov, A. Polkovnichenko. (2019, July 10). Agent Smith: A New Species of Mobile Malware. Retrieved May 7, 2020. 

  9. A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020. 

  10. Check Point Research Team. (2016, November 30). More Than 1 Million Google Accounts Breached by Gooligan. Retrieved December 12, 2016. 

  11. Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018. 

  12. R. Unuchek. (2017, June 8). Dvmap: the first Android malware with code injection. Retrieved December 10, 2019. 

  13. Dan Goodin. (2016, July 7). 10 million Android phones infected by all-powerful auto-rooting apps. Retrieved January 24, 2017. 

  14. Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018. 

  15. Nikita Buchka and Alexey Firsh. (2018, January 16). Skygofree: Following in the footsteps of HackingTeam. Retrieved September 24, 2018. 

  16. Dmitry Bestuzhev. (2025, April 7). The Coordinated Kill Switch: LightSpy’s iOS Destructive Plugin Architecture Manages Device Disablement. Retrieved April 14, 2025. 

  17. ThreatFabric. (2024, October 29). LightSpy: Implant for iOS. Retrieved January 30, 2025. 

  18. Flossman, M., Scott, M. (2021, April). Technical Paper // Taking Action Against Arid Viper. Retrieved November 17, 2024. 

  19. Michael Bentley. (2015, November 4). Lookout discovers new trojanized adware; 20K popular apps caught in the crossfire. Retrieved December 21, 2016. 

  20. Kucherin, G., et al. (2023, June 21). Dissecting TriangleDB, a Triangulation spyware implant. Retrieved April 18, 2024.