Adversaries may use built-in command-line interfaces to interact with the device and execute commands. Android provides a bash shell that can be interacted with over the Android Debug Bridge (ADB) or programmatically using Java’s Runtime package. On iOS, adversaries can interact with the underlying runtime shell if the device has been jailbroken.
If the device has been rooted or jailbroken, adversaries may locate and invoke a superuser binary to elevate their privileges and interact with the system as the root user. This dangerous level of permissions allows the adversary to run special commands and modify protected system files.
| ID | Name | Description |
|---|---|---|
| S0655 | BusyGasper |
BusyGasper can run shell commands.[1] |
| S0555 | CHEMISTGAMES |
CHEMISTGAMES can run bash commands.[2] |
| S0550 | DoubleAgent |
DoubleAgent can run arbitrary shell commands.[3] |
| S0544 | HenBox | |
| S0558 | Tiktok Pro |
Tiktok Pro can execute commands .[5] |
| ID | Mitigation | Description |
|---|---|---|
| M1005 | Application Vetting |
Application vetting services could detect invocations of methods that could be used to execute shell commands. |
| M1002 | Attestation |
Device attestation can often detect jailbroken or rooted devices. |
| M1010 | Deploy Compromised Device Detection Method |
Mobile security products can often detect jailbroken or rooted devices. |
Command-Line Interface execution can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.