Currently viewing ATT&CK v10.1 which was live between October 21, 2021 and April 24, 2022. Learn more about the versioning system or see the live site.
  1. Home
  2. Techniques
  3. Mobile
  4. Exploit OS Vulnerability

Exploit OS Vulnerability

A malicious app can exploit unpatched vulnerabilities in the operating system to obtain escalated privileges.

ID: T1404
Sub-techniques:  No sub-techniques
Tactic Type: Post-Adversary Device Access
Tactic: Privilege Escalation
Platforms: Android, iOS
MTC ID: APP-26
Version: 1.0
Created: 25 October 2017
Last Modified: 17 October 2018

Procedure Examples

ID Name Description
S0440 Agent Smith

Agent Smith exploits known OS vulnerabilities, including Janus, to replace legitimate applications with malicious versions.[1]
S0293 BrainTest

Some original variants of BrainTest had the capability to automatically root some devices, but that behavior was not observed in later samples.[2]
S0550 DoubleAgent

DoubleAgent has used exploit tools to gain root, such as TowelRoot.[3]
S0420 Dvmap

Dvmap attempts to gain root access by using local exploits.[4]
S0405 Exodus

Exodus Two attempts to elevate privileges by using a modified version of the DirtyCow exploit.[5]

S0182 FinFisher

FinFisher comes packaged with ExynosAbuse, an Android exploit that can gain root privileges.[6]
S0290 Gooligan

Gooligan executes Android root exploits.[7]
S0322 HummingBad

HummingBad can exploit unfixed vulnerabilities in older Android versions to root victim phones.[8]
S0463 INSOMNIA

INSOMNIA exploits a WebKit vulnerability to achieve root access on the device.[9]
S0316 Pegasus for Android

Pegasus for Android attempts to exploit well-known Android OS vulnerabilities to escalate privileges.[10]
S0289 Pegasus for iOS

Pegasus for iOS exploits iOS vulnerabilities to escalate privileges.[11]
S0294 ShiftyBug

ShiftyBug is packed with at least eight publicly available exploits that can perform rooting.[12]
S0327 Skygofree

Skygofree has the capability to exploit several known vulnerabilities and escalate privileges.[13]
S0324 SpyDealer

SpyDealer uses the commercial rooting app Baidu Easy Root to gain root privilege and maintain persistence on the victim.[14]
S0494 Zen

Zen can obtain root access via a rooting trojan in its infection chain.[15]

Mitigations

ID Mitigation Description
M1005 Application Vetting

Application vetting may be able to identify the presence of exploit code within applications.
M1001 Security Updates
M1006 Use Recent OS Version

References

  1. A. Hazum, F. He, I. Marom, B. Melnykov, A. Polkovnichenko. (2019, July 10). Agent Smith: A New Species of Mobile Malware. Retrieved May 7, 2020.
  2. Chris Dehghanpoor. (2016, January 6). Brain Test re-emerges: 13 apps found in Google Play Read more: Brain Test re-emerges: 13 apps found in Google Play. Retrieved December 21, 2016.
  3. A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.
  4. R. Unuchek. (2017, June 8). Dvmap: the first Android malware with code injection. Retrieved December 10, 2019.
  5. Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019.
  6. Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.
  7. Check Point Research Team. (2016, November 30). More Than 1 Million Google Accounts Breached by Gooligan. Retrieved December 12, 2016.
  8. Dan Goodin. (2016, July 7). 10 million Android phones infected by all-powerful auto-rooting apps. Retrieved January 24, 2017.
  1. A. Case, D. Lassalle, M. Meltzer, S. Koessel, et al.. (2020, April 21). Evil Eye Threat Actor Resurfaces with iOS Exploit and Updated Implant. Retrieved June 2, 2020.
  2. Mike Murray. (2017, April 3). Pegasus for Android: the other side of the story emerges. Retrieved April 16, 2017.
  3. Lookout. (2016). Technical Analysis of Pegasus Spyware. Retrieved December 12, 2016.
  4. Michael Bentley. (2015, November 4). Lookout discovers new trojanized adware; 20K popular apps caught in the crossfire. Retrieved December 21, 2016.
  5. Nikita Buchka and Alexey Firsh. (2018, January 16). Skygofree: Following in the footsteps of HackingTeam. Retrieved September 24, 2018.
  6. Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018.
  7. Siewierski, L. (2019, January 11). PHA Family Highlights: Zen and its cousins . Retrieved July 27, 2020.