Deploy Compromised Device Detection Method
A variety of methods exist that can be used to enable enterprises to identify compromised (e.g. rooted/jailbroken) devices, whether using security mechanisms built directly into the device, third-party mobile security applications, enterprise mobility management (EMM)/mobile device management (MDM) capabilities, or other methods. Some methods may be trivial to evade while others may be more sophisticated.
Techniques Addressed by Mitigation
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Mobile | T1605 | Command-Line Interface |
Mobile security products can often detect jailbroken or rooted devices. |
|
| Mobile | T1446 | Device Lockout | ||
| Mobile | T1617 | Hooking |
Mobile security products can often detect rooted devices. |
|
| Mobile | T1579 | Keychain |
Mobile security products can potentially detect jailbroken devices and take responsive action. |
|
| Mobile | T1618 | User Evasion |
Mobile security products that are part of the Samsung Knox for Mobile Threat Defense program could examine running applications while the device is idle, potentially detecting malicious applications that are running primarily when the device is not being used. |
|