Skip to content

T1663 Remote Access Software

Adversaries may use legitimate remote access software, such as VNC, TeamViewer, AirDroid, AirMirror, etc., to establish an interactive command and control channel to target mobile devices.

Remote access applications may be installed and used post-compromise as an alternate communication channel for redundant access or as a way to establish an interactive remote session with the target device. They may also be used as a component of malware to establish a reverse connection to an adversary-controlled system or service. Installation of remote access tools may also include persistence.

Item Value
ID T1663
Sub-techniques
Tactics TA0037
Platforms Android, iOS
Version 1.0
Created 25 September 2023
Last Modified 16 April 2025

Procedure Examples

ID Name Description
S1094 BRATA BRATA can view a device through VNC.1
S1092 Escobar Escobar can use VNC to remotely control an infected device.2

Mitigations

ID Mitigation Description
M1012 Enterprise Policy When devices are enrolled in an EMM/MDM using device owner (iOS) or fully managed (Android) mode, the EMM/MDM can collect a list of installed applications on the device. An administrator can then act on, for example blocking, specific remote access applications from being installed on managed devices.
M1011 User Guidance Users should be encouraged to be very careful with granting dangerous permissions, such as device administrator or access to device accessibility.

References

  1. Federico Valentini, Francesco Lubatti. (2022, January 24). How BRATA is monitoring your bank account. Retrieved December 18, 2023. 

  2. B. Toulas. (2022, March 12). Android malware Escobar steals your Google Authenticator MFA codes. Retrieved September 28, 2023.