We study MITER ATT & CK. Mobile Matrices: Device Access. Part 5

  • Tutorial

Discovery and Lateral Movement

Links to all parts:

Part 1. Initial access to a mobile device (Initial Access)
Part 2. Persistence and Escalation of privileges (
Part 3. Obtaining credentials (Credential Access)
Part 4. Bypass protection (Defense Evasion)

Having gained access to a mobile device, the adversary will probably try to use regular means of the operating system to “look around,” to understand what advantage has been gained, whether it helps to achieve the goal of the invasion. This stage of the attack is called Discovery. Survey techniques are aimed at obtaining information about the characteristics of a compromised mobile device, as well as other available network systems.

Having assessed the capabilities available in the attacked environment, the adversary will try to gain access to remote systems, and, possibly, control over them, will attempt to launch malicious tools on remote systems. The described activity is called Lateral Movement. Lateral moving methods also include means of collecting information from remote systems without the use of additional tools, such as RAT (Remote Access Tools) utilities.

The author is not responsible for the possible consequences of applying the information set forth in the article, and also apologizes for possible inaccuracies made in some formulations and terms. The information published is a free retelling of the contents of ATT @ CK Mobile Matrices: Device Access .

Overview (Discovery)

Application Overview (Application Discovery)

Platform: Android, iOS
Description: In order to identify security tools in an attacked system, an attacker may try to identify applications installed on the device that may increase the risk of detecting malicious activity, or vice versa, to identify applications that will be targeted by a further attack.

In Android, applications can use the PackageManager class method to list other applications or other objects with command line access to use the pm command . In iOS, apps can use private API calls to get a list of apps installed on the device. However, an application using private API calls will probably not be accepted in the AppStore.

Protection recommendations: Application verification methods should include means for identifying applications that use the PackageManager class to list other applications, but this approach may be impractical because many applications call the methods of the PackageManager class as part of their regular work. In iOS, application verification tools can similarly look for private API calls.

Device Type Discovery

Platform: Android
Description: On Android, device type information is available through the android.os.Build class . Device information can be used to further exploit targeted exploits that enhance privileges.

Protection recommendations: During the preliminary check, applications that use the android.os.Build class may be detected , however, this measure is not effective, because many applications use this functionality as part of regular work.

File and Directory Discovery

Platform: Android
Description: To list the contents of the file system in Android, you can use the command line tools or Java API for working with files. However, on Linux and SELinux, application access to files is usually very limited (unless you use an exploit to elevate privileges). Typically, applications can access the contents of external storage, so storing sensitive data there inappropriately should be a concern. The iOS security architecture typically limits the ability to detect files and directories without having extended privileges.

Protection Recommendations:The privilege escalation feature is becoming more complex with every new version of Android and iOS. In recent versions of Android, the sandbox has been strengthened, limiting the ability of applications to list the contents of the file system.

Network Service Scanning

Platform: Android, iOS
Description: Using port and vulnerability scanners, attackers can try to get a list of services running on remote devices, including those that have remote exploit vulnerabilities. The presence of a mobile device connecting to the internal network of the enterprise through a local or VPN connection can be perceived by the adversary as a potential advantage.

Process Overview (Process Discovery)

Platform: Android
Description: In Android up to version 5, applications can receive information about other processes that are executed through the methods of the ActivityManager class . On Android older than version 7, applications can obtain this information by running the ps command or by “examining” the / proc directory . Starting with Android 7, using the Linux kernel hidepid function prevents applications without elevated privileges from receiving information about other processes.

Protection recommendations: Using Android OS version 7 and higher.

System Information Discovery

Platform: Android, iOS
Description: An attacker may try to obtain detailed information about the operating system and hardware, including the version, installed fixes, and architecture. On Android, most of the system information is available through the android.os.Build class . On iOS, there are also methods by which applications can access system information.

System Network Configuration Discovery

Platform: Android
Description: In Android, embedded network interface configuration details are available to applications through the java.net.NetworkInteface class . The TelephonyManager class can be used to collect information such as IMSI, IMEI, and phone number.

Protection recommendations: A preliminary analysis of the application should include checking that the application requests ACCESS_NETWORK_STATE permissions (required to access NetworkInterface information ) or READ_PHONE_STATE (required to access TelephonyManager information ). Starting with Android 6.0, applications cannot access the MAC addresses of network interfaces.

Overview of Network Connections (System Network Connections Discovery)

Platform: Android
Description: Applications can use standard APIs to collect data about outgoing and incoming network connections. For example, the NetworkConnections application available on PlayMarket provides this functionality.

Lateral Movement

Attack PC via USB Connection

Platform: Android
Description: In order to carry out attacks on PCs connected to a mobile device, an adversary (having elevated privileges) can make changes to the OS, after which the mobile device will impersonate a USB device: keyboard, mouse, information storage device or network device. This method has been demonstrated on Android. The possibility of implementing this technique on iOS is not known.

Protection recommendations : It is recommended that users connect mobile devices to a PC only if there is a reasonable need (for example, if this is necessary in order to develop and debug mobile applications).

Exploit Enterprise Resources

Platform: Android, iOS
Description: An adversary may try to use corporate servers, workstations or other resources available over the network. This method is used when connecting a mobile device to a corporate network via a local or VPN connection.

Also popular now: