Install Insecure or Malicious Configuration

An adversary could attempt to install insecure or malicious configuration settings on the mobile device, through means such as phishing emails or text messages either directly containing the configuration settings as an attachment, or containing a web link to the configuration settings. The device user may be tricked into installing the configuration settings through social engineering techniques [1].

For example, an unwanted Certification Authority (CA) certificate could be placed in the device's trusted certificate store, increasing the device's susceptibility to adversary-in-the-middle network attacks seeking to eavesdrop on or manipulate the device's network communication (Eavesdrop on Insecure Network Communication and Manipulate Device Communication).

On iOS, malicious Configuration Profiles could contain unwanted Certification Authority (CA) certificates or other insecure settings such as unwanted proxy server or VPN settings to route the device's network traffic through an adversary's system. The device could also potentially be enrolled into a malicious Mobile Device Management (MDM) system [2].

ID: T1478
Sub-techniques:  No sub-techniques
Tactic Type: Post-Adversary Device Access
Platforms: Android, iOS
MTC ID: STA-7
Version: 1.0
Created: 17 October 2018
Last Modified: 01 November 2021
Provided by LAYER 8

Procedure Examples

ID Name Description
S0422 Anubis

Anubis can modify administrator settings and disable Play Protect.[3]

S0480 Cerberus

Cerberus disables Google Play Protect to prevent its discovery and deletion in the future.[4]

S0505 Desert Scorpion

If running on a Huawei device, Desert Scorpion adds itself to the protected apps list, which allows it to run with the screen off.[5]

S0420 Dvmap

Dvmap can enable installation of apps from unknown sources, turn off VerifyApps, and can grant Device Administrator permissions via commands only, rather than using the UI.[6]

S0551 GoldenEagle

GoldenEagle has modified or configured proxy information.[7]

S0485 Mandrake

Mandrake can enable app installation from unknown sources and can disable Play Protect.[8]

S0549 SilkBean

SilkBean has attempted to trick users into enabling installation of applications from unknown sources.[7]

G0112 Windshift

Windshift has installed malicious MDM profiles on iOS devices as part of Operation ROCK.[9]

S0490 XLoader for iOS

XLoader for iOS has been installed via a malicious configuration profile.[10]

S0494 Zen

Zen can modify the SELinux enforcement mode.[11]

Mitigations

ID Mitigation Description
M1006 Use Recent OS Version

iOS 10.3 and higher add an additional step for users to install new trusted CA certificates to make it more difficult to trick users into installing them. On Android, apps that target compatibility with Android 7 and higher (API Level 24) default to only trusting CA certificates that are bundled with the operating system, not CA certificates that are added by the user or administrator, hence decreasing their susceptibility to successful adversary-in-the-middle attack.[12][13]

M1011 User Guidance

Typically, insecure or malicious configuration settings are not installed without the user's consent. Users should be advised not to install unexpected configuration settings (CA certificates, iOS Configuration Profiles, Mobile Device Management server provisioning).

Detection

On Android, the user can view trusted CA certificates through the device settings and look for unexpected certificates. A mobile security product could similarly examine the trusted CA certificate store for anomalies.

On iOS, the user can view installed Configuration Profiles through the device settings and look for unexpected profiles. A Mobile Device Management (MDM) system could use the iOS MDM APIs to examine the list of installed Configuration Profiles for anomalies.

References