We study MITER ATT & CK. Mobile Matrices: Device Access. Part 4

  • Tutorial

Defense Evasion

Links to all parts:
Part 1. Initial access to a mobile device (Initial Access)
Part 2. Persistence and Escalation of privileges (
Part 3. Obtaining credentials (Credential Access)
Part 4. Bypass protection (Defense Evasion)
Part 5. Discovery and Lateral Movement

Bypass methods are used by cybercriminals to avoid detection of their malicious activity or in combination with other attack techniques to achieve certain tactical goals as a result of undermining specific protection. Thus, defense evasion can be considered as a set of techniques used by the enemy at all stages of the attack.

Автор не несет ответственности за возможные последствия применения изложенной в статье информации, а также просит прощения за возможные неточности, допущенные в некоторых формулировках и терминах. Публикуемая информация является свободным пересказом содержания ATT@CK Mobile Matrices: Device Access.

Выявление приложений (Application Discovery)

Platform: Android, iOS
Description: Attackers can try to identify all applications installed on the device in order to detect the availability of security tools that can increase the risk of detection, or vice versa - determine the applications that will be targeted by a further attack.

Android applications can use the PackageManager class method to list other applications or another command-line object to use the pm command. iOS apps can use private API calls to get a list of apps installed on the device. However, distributing an application using private API calls through the AppStore is likely to be impossible.

Protection Recommendations:Methods for checking android applications should include means for detecting the use of applications of the PackageManager class to list other applications for the purpose of conducting additional analysis. However, this approach may be impractical because many applications can call methods of the PackageManager class as part of their regular work. On iOS, validation methods may similarly look for private API calls, however it is important to note that an application using private API calls is likely not to be accepted in the AppStore.

Masking root access or jailbreak indicators (Disguise Root / Jailbreak Indicators)

Platform: Android, iOS
Description: An adversary can use the knowledge of security algorithms to avoid detection. For example, some mobile device security tools detect a compromise by identifying specific artifacts, such as the installed su binary, but you can bypass this check by naming the binary differently. An adversary may use a polymorphic code to avoid detection by signature analysis.

Download New Code at Runtime

Platform: Android, iOS
Description: In order to avoid detection of malicious code during checks in a corporate environment or application store using static code analysis methods (possibly dynamic), a malicious application can download and execute dynamic code (not included in the application package) after installing it.
In Android, dynamic code can include native code, Dalvik code, or JavaScript code that uses the JavascriptInterface function of Android WebView. IOS also has methods for executing dynamic code loaded after installing the application.

Protection Recommendations:Application verification technologies (static and dynamic analysis) can detect signs that the application is loading new code at runtime (for example, in Android it is using DexClassLoader, System.load or WebView JavaScryptInterface, in iOS it is using JSPatch or similar features). Unfortunately, this is only a partial method of mitigating risks, because identified applications will require additional verification due to the fact that these methods are often used by developers without malicious intent, and also because applications can use other methods, such as hiding Using code loading methods at runtime.

Install Insecure or Malicious Configuration

Platform: Android, iOS
Description: An adversary may try to install an unsafe or malicious configuration on a mobile device using a phishing message or a text message containing a configuration file as an attachment or a web link to configuration parameters. When setting configuration parameters, the user can be tricked by using social engineering methods. For example, by setting up a configuration, an unwanted certificate of a certification authority (CA) can be placed in the device’s trusted certificate store, which will increase the device’s susceptibility to middle-person attacks.

In iOS, malicious configuration profiles may contain unwanted Certificate Authority (CA) certificates or other insecure settings, such as the address of an unwanted proxy or VPN server to route device traffic through an attacker system or register the target device with an enemy mobile device management system (MDM).

Protection recommendations: In iOS 10.3 and above, an additional step is added that requires the user to take certain actions to install new trusted CA certificates. Android applications compatible with Android 7 and higher (API level 24), by default, trust only CA certificates that come with the OS, and not added by the user or administrator, which reduces their susceptibility to man-in-the-middle attacks.

Usually, unsafe or malicious configuration settings are not set without user consent. Users should not set unexpected configuration parameters (CA certificates, iOS configuration profiles, MDM connections).

On Android, a user can view trusted CA certificates through device settings to identify suspicious certificates. Similarly, mobile device protections can check certificate stores for anomalies. On iOS, a user can view installed configuration profiles through device settings and identify suspicious profiles. Similarly, MDM systems can use the iOS MDM API to check lists of installed profiles for anomalies.

Модификация ядра ОС или загрузочного раздела (Modify OS Kernel or Boot Partition)

Platform: Android, iOS
Description: Name an opportunity to increase privileges an adversary may try to place malicious code in the kernel of the OS or components of the boot partition, where the code cannot be detected, will be saved after the device is rebooted and cannot be deleted by the user. In some cases (for example, Samsung Knox), an attack may be detected, but will lead to the transfer of the device into limited functionality mode.

Many Android devices provide the ability to unlock the bootloader for development purposes, but this functionality provides the ability to maliciously update the kernel or other boot partition code. If the bootloader is still not unlocked, then there remains the potential possibility of exploiting vulnerabilities to update kernel code.

Protection recommendations: In a corporate environment, organize the installation of security updates, the introduction of remote certification of mobile devices (Android SafetyNet, Samsung KNOX TIMA), and also prevent devices that have not passed certification from accessing corporate resources. Check the bootloader lock status on devices that provide the ability to unlock the bootloader (hence allowing any OS code to be written to the device).

The Android SafetyNet Attestation API can be used to remotely identify and respond to compromised devices. Samsung KNOX provides remote certification capabilities on supported Samsung Android devices. Samsung KNOX devices include an irreversible bit fuse, which will work if a non-KNOX kernel is loaded on the device. When triggered, enterprise KNOX container services will not be available on the device.

As described in the iOS Security Guide, iOS devices cannot boot or allow device activation if unauthorized changes are detected. Many enterprise applications perform their own checks to detect and respond to compromised devices. Such checks are not a reliable means, but can detect the primary signs of compromise.

Modify System Partition

Platform: Android, iOS
Description: If the adversary raises the privileges, he will be able to use them to place malicious code in the system section of the device, where the code will be saved after the OS reboot and will not be easily accessible for removal by the user. Many Android devices allow you to unlock the bootloader for development purposes. This feature can also be used by an adversary to modify a system partition.

Protection Recommendations:Android devices with Verified Boot support perform cryptographic verification of the integrity of the system partition. The Android SafetyNet API can be used to identify compromised devices. Samsung KNOX also provides remote control capabilities on supported devices. IOS devices will not boot or will not allow you to activate a device in which unauthorized changes are detected.

Modification TEE (Modify Trusted Execution Environment)

Platform: Android
Description: With the appropriate privileges, an attacker can try to place malicious code in a trusted runtime (TEE) or other similar isolated runtime where the code will not be detectable, it will be saved after the device is rebooted and cannot be deleted by the user. Executing code in TEE will provide an adversary with the ability to control or falsify device operation.

Security Tips: Devices should perform integrity checks on the code that runs in TEE at boot time. iOS will not boot if the code running in Secure Enclave fails digital signature verification.

Obfuscated Files or Information

Platform: Android, iOS
Description: The developer of a malicious application can apply methods of obfuscation or encryption of code that is deobfuscated and decrypted during application execution on the target device.

Protection Recommendations:Application verification tools can alert you to obfuscated or encrypted code in applications. Unfortunately, such checks are ineffective, since many applications use obfuscation and encryption to protect against modification techniques, such as repackaging the application. Dynamic analysis in some cases can identify obfuscated or encrypted code by detecting it at run time in clear text. Some application verification tools use developer reputation analysis and can warn of potentially dangerous applications without actually analyzing the code.

Also popular now: