The adversary is trying to manipulate, interrupt, or destroy your devices and data.

The impact tactic consists of techniques used by the adversary to execute his or her mission objectives but that do not cleanly fit into another category such as Collection. Mission objectives vary based on each adversary's goals, but examples include toll fraud, destruction of device data, or locking the user out of his or her device until a ransom is paid.

ID: TA0034
Created: 17 October 2018
Last Modified: 27 January 2020


Techniques: 11
ID Name Description
T1616 Call Control Adversaries may make, forward, or block phone calls without user authorization. This could be used for adversary goals such as audio surveillance, blocking or forwarding calls from the device owner, or C2 communication.
T1448 Carrier Billing Fraud A malicious app may trigger fraudulent charges on a victim’s carrier billing statement in several different ways, including SMS toll fraud and SMS shortcodes that make purchases.
T1510 Clipboard Modification Adversaries may abuse clipboard functionality to intercept and replace information in the Android device clipboard. Malicious applications may monitor the clipboard activity through the ClipboardManager.OnPrimaryClipChangedListener interface on Android to determine when the clipboard contents have changed. Listening to clipboard activity, reading the clipboard contents, and modifying the clipboard contents requires no explicit application permissions and can be performed by applications running in the background, however, this behavior has changed with the release of Android 10.
T1471 Data Encrypted for Impact An adversary may encrypt files stored on the mobile device to prevent the user from accessing them, for example with the intent of only unlocking access to the files after a ransom is paid. Without escalated privileges, the adversary is generally limited to only encrypting files in external/shared storage locations. This technique has been demonstrated on Android. We are unaware of any demonstrated use on iOS.
T1447 Delete Device Data Adversaries may wipe a device or delete individual files in order to manipulate external outcomes or hide activity. An application must have administrator access to fully wipe the device, while individual files may not require special permissions to delete depending on their storage location.
T1446 Device Lockout An adversary may seek to lock the legitimate user out of the device, for example to inhibit user interaction or to obtain a ransom payment.
T1472 Generate Fraudulent Advertising Revenue An adversary could seek to generate fraudulent advertising revenue from mobile devices, for example by triggering automatic clicks of advertising links without user involvement.
T1516 Input Injection A malicious application can inject input to the user interface to mimic user interaction through the abuse of Android's accessibility APIs.
T1452 Manipulate App Store Rankings or Ratings An adversary could use access to a compromised device's credentials to attempt to manipulate app store rankings or ratings by triggering application downloads or posting fake reviews of applications. This technique likely requires privileged access (a rooted or jailbroken device).
T1400 Modify System Partition If an adversary can escalate privileges, he or she may be able to use those privileges to place malicious code in the device system partition, where it may persist after device resets and may not be easily removed by the device user.
T1582 SMS Control Adversaries may delete, alter, or send SMS messages without user authorization. This could be used to hide C2 SMS messages, spread malware, or various external effects.