Skip to content

T1664 Exploitation for Initial Access

Adversaries may exploit software vulnerabilities to gain initial access to a mobile device.

This can be accomplished in a variety of ways. Vulnerabilities may be present in the applications, the services, the underlying operating system, or the kernel itself. Several well-known mobile device exploits exist, including FORCEDENTRY, StageFright, and BlueBorne. Furthermore, some exploits may be possible to exploit without any user interaction (i.e. zero-click exploits, see Exploitation for Client Execution), making them particularly dangerous. Mobile operating system vendors are typically very quick to patch such critical bugs, ensuring only a small window where they can be exploited.

Item Value
ID T1664
Sub-techniques
Tactics TA0027
Platforms Android, iOS
Version 1.1
Created 05 December 2023
Last Modified 27 February 2025

Procedure Examples

ID Name Description
S1094 BRATA BRATA has abused WhatsApp vulnerability CVE-2019-3568 to achieve initial access.2
S0289 Pegasus for iOS Pegasus for iOS has used zero-day iMessage exploits for initial access.1

Mitigations

ID Mitigation Description
M1058 Antivirus/Antimalware Mobile security products can potentially detect if a device is vulnerable to a known exploit and can alert the user to update their device.
M1001 Security Updates Security updates frequently contain patches for known software vulnerabilities.

References

  1. Marczak, B., et al. (2020, December 20). The Great iPwn. Retrieved April 3, 2024. 

  2. Securelist. (2019, August 29). Fully equipped Spying Android RAT from Brazil: BRATA. Retrieved December 18, 2023.