Execution, Tactic TA0041 - Mobile

<!DOCTYPE html> <html lang='en'> <head> <script async src="https://www.googletagmanager.com/gtag/js?id=UA-62667723-1"></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'UA-62667723-1'); </script> <meta name="google-site-verification" content="2oJKLqNN62z6AOCb0A0IXGtbQuj-lev5YPAHFF_cbHQ"/> <meta charset='utf-8'> <meta name='viewport' content='width=device-width, initial-scale=1, shrink-to-fit=no'> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <link rel='shortcut icon' href="/versions/v9/theme/favicon.ico" type='image/x-icon'> <title>Execution, Tactic TA0041 - Mobile | MITRE ATT&CK®</title>  <link rel='stylesheet' href="/versions/v9/theme/style/bootstrap.min.css" /> <link rel='stylesheet' href="/versions/v9/theme/style/bootstrap-glyphicon.min.css" /> <link rel='stylesheet' href="/versions/v9/theme/style/bootstrap-tourist.css" /> <link rel="stylesheet" type="text/css" href="/versions/v9/theme/style.min.css?426cc53a"> </head> <body>  <header> <nav class='navbar navbar-expand-lg navbar-dark fixed-top'> <a class='navbar-brand' href="/versions/v9/"><img src="/versions/v9/theme/images/mitre_attack_logo.png" class="attack-logo"></a> <button class='navbar-toggler' type='button' data-toggle='collapse' data-target='#navbarCollapse' aria-controls='navbarCollapse' aria-expanded='false' aria-label='Toggle navigation'> <span class='navbar-toggler-icon'></span> </button> <div class='collapse navbar-collapse' id='navbarCollapse'> <ul class='nav nav-tabs ml-auto'> <li class="nav-item"> <a href="/versions/v9/matrices/" class="nav-link" ><b>Matrices</b></a> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v9/tactics/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Tactics</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v9/tactics/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v9/tactics/mobile/">Mobile</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v9/techniques/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Techniques</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v9/techniques/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v9/techniques/mobile/">Mobile</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v9/mitigations/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Mitigations</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v9/mitigations/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v9/mitigations/mobile/">Mobile</a> </div> </li> <li class="nav-item"> <a href="/versions/v9/groups" class="nav-link" ><b>Groups</b></a> </li> <li class="nav-item"> <a href="/versions/v9/software/" class="nav-link" ><b>Software</b></a> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v9/resources/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Resources</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v9/resources/">General Information</a> <a class="dropdown-item" href="/versions/v9/resources/getting-started/">Getting Started</a> <a class="dropdown-item" href="/versions/v9/resources/training/">Training</a> <a class="dropdown-item" href="/versions/v9/resources/attackcon/">ATT&CKcon</a> <a class="dropdown-item" href="/versions/v9/resources/working-with-attack/">Working with ATT&CK</a> <a class="dropdown-item" href="/versions/v9/resources/faq/">FAQ</a> <a class="dropdown-item" href="/resources/updates/">Updates</a> <a class="dropdown-item" href="/resources/versions/">Versions of ATT&CK</a> <a class="dropdown-item" href="/versions/v9/resources/related-projects/">Related Projects</a> </div> </li> <li class="nav-item"> <a href="https://medium.com/mitre-attack/" target="_blank" class="nav-link"> <b>Blog</b>  <img src="/versions/v9/theme/images/external-site.svg" alt="External site" class="external-icon" /> </a> </li> <li class="nav-item"> <a href="/versions/v9/resources/contribute/" class="nav-link" ><b>Contribute</b></a> </li> <li class="nav-item"> <button id="search-button" class="btn search-button">Search <div class="search-icon"></div></button> </li> </ul> </div> </nav> </header>  <div class="container-fluid version-banner"><div class="icon-inline baseline mr-1"><img src="/versions/v9/theme/images/icon-warning-24px.svg"></div>Currently viewing <a href="https://github.com/mitre/cti/releases/tag/ATT%26CK-v9.0" target="_blank">ATT&CK v9.0</a> which was live between April 29, 2021 and October 20, 2021. <a href="/resources/versions/">Learn more about the versioning system</a> or <a href="/">see the live site</a>.</div> <div id='content' class="maincontent">  <div class='container-fluid h-100'> <div class='row h-100'> <div class="nav flex-column col-xl-2 col-lg-3 col-md-3 sidebar nav pt-5 pb-3 pl-3 border-right" id="v-tab" role="tablist" aria-orientation="vertical">  <div class="group-nav-desktop-view"> <span class="heading" id="v-home-tab" aria-selected="false">TACTICS</span> <div class="sidenav"> <div class="sidenav-head " id="enterprise"> <a href="/versions/v9/tactics/enterprise/"> Enterprise </a> <div class="expand-button collapsed" id="enterprise-header" data-toggle="collapse" data-target="#enterprise-body" aria-expanded="false" aria-controls="#enterprise-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-body" aria-labelledby="enterprise-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-Reconnaissance"> <a href="/versions/v9/tactics/TA0043/"> Reconnaissance </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-Resource Development"> <a href="/versions/v9/tactics/TA0042/"> Resource Development </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-Initial Access"> <a href="/versions/v9/tactics/TA0001/"> Initial Access </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-Execution"> <a href="/versions/v9/tactics/TA0002/"> Execution </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-Persistence"> <a href="/versions/v9/tactics/TA0003/"> Persistence </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-Privilege Escalation"> <a href="/versions/v9/tactics/TA0004/"> Privilege Escalation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-Defense Evasion"> <a href="/versions/v9/tactics/TA0005/"> Defense Evasion </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-Credential Access"> <a href="/versions/v9/tactics/TA0006/"> Credential Access </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-Discovery"> <a href="/versions/v9/tactics/TA0007/"> Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-Lateral Movement"> <a href="/versions/v9/tactics/TA0008/"> Lateral Movement </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-Collection"> <a href="/versions/v9/tactics/TA0009/"> Collection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-Command and Control"> <a href="/versions/v9/tactics/TA0011/"> Command and Control </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-Exfiltration"> <a href="/versions/v9/tactics/TA0010/"> Exfiltration </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-Impact"> <a href="/versions/v9/tactics/TA0040/"> Impact </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile"> <a href="/versions/v9/tactics/mobile/"> Mobile </a> <div class="expand-button collapsed" id="mobile-header" data-toggle="collapse" data-target="#mobile-body" aria-expanded="false" aria-controls="#mobile-body"></div> </div> <div class="sidenav-body collapse" id="mobile-body" aria-labelledby="mobile-header"> <div class="sidenav"> <div class="sidenav-head" id="mobile-Initial Access"> <a href="/versions/v9/tactics/TA0027/"> Initial Access </a> </div> </div> <div class="sidenav"> <div class="sidenav-head active" id="mobile-Execution"> <a href="/versions/v9/tactics/TA0041/"> Execution </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-Persistence"> <a href="/versions/v9/tactics/TA0028/"> Persistence </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-Privilege Escalation"> <a href="/versions/v9/tactics/TA0029/"> Privilege Escalation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-Defense Evasion"> <a href="/versions/v9/tactics/TA0030/"> Defense Evasion </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-Credential Access"> <a href="/versions/v9/tactics/TA0031/"> Credential Access </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-Discovery"> <a href="/versions/v9/tactics/TA0032/"> Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-Lateral Movement"> <a href="/versions/v9/tactics/TA0033/"> Lateral Movement </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-Collection"> <a href="/versions/v9/tactics/TA0035/"> Collection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-Command and Control"> <a href="/versions/v9/tactics/TA0037/"> Command and Control </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-Exfiltration"> <a href="/versions/v9/tactics/TA0036/"> Exfiltration </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-Impact"> <a href="/versions/v9/tactics/TA0034/"> Impact </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-Network Effects"> <a href="/versions/v9/tactics/TA0038/"> Network Effects </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-Remote Service Effects"> <a href="/versions/v9/tactics/TA0039/"> Remote Service Effects </a> </div> </div> </div> </div> </div>  </div> <div class="tab-content col-xl-10 col-lg-9 col-md-9 pt-4" id="v-tabContent"> <div class="tab-pane fade show active" id="v-attckmatrix" role="tabpanel" aria-labelledby="v-attckmatrix-tab"> <ol class="breadcrumb"> <li class="breadcrumb-item"><a href="/versions/v9/">Home</a></li> <li class="breadcrumb-item"><a href="/versions/v9/tactics/mobile">Tactics</a></li> <li class="breadcrumb-item"><a href="/versions/v9/tactics/mobile">Mobile</a></li> <li class="breadcrumb-item">Execution</li> </ol> <div class="tab-pane fade show active" id="v-" role="tabpanel" aria-labelledby="v--tab"></div> <div class="row"> <div class="col-xl-12"> <div class="jumbotron jumbotron-fluid"> <div class="container-fluid"> <h1> Execution </h1> <div class="row"> <div class="col-md-8"> <div class="description-body"> <p>The adversary is trying to run malicious code.</p><p>Execution consists of techniques that result in adversary-controlled code running on a mobile device. Techniques that run malicious code are often paired with techniques from all other tactics to achieve broader goals, like exploring a network or stealing data.</p> </div> </div> <div class="col-md-4"> <div class="card"> <div class="card-body"> <div class="card-data"><span class="h5 card-title">ID:</span> TA0041</div> <div class="card-data"><span class="h5 card-title">Created: </span>27 January 2020</div> <div class="card-data"><span class="h5 card-title">Last Modified: </span>27 January 2020</div> </div> </div> <div class="text-center pt-2 version-button permalink"> <div class="live"> <a data-toggle="tooltip" data-placement="bottom" title="Permalink to this version of TA0041" href="/versions/v9/tactics/TA0041/" data-test-ignore="true">Version Permalink</a> </div> <div class="permalink"> <a data-toggle="tooltip" data-placement="bottom" title="Go to the live version of TA0041" href="/tactics/TA0041/" data-test-ignore="true">Live Version</a> </div> </div> </div> </div> <h2 class="pt-3" id ="techniques">Techniques</h2><h6 class="table-object-count">Techniques: 4</h6> <table class="table-techniques"> <thead> <tr> <td colspan="2">ID</td> <td>Name</td> <td>Description</td> </tr> </thead> <tbody> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1402"> T1402 </a> </td> <td> <a href="/versions/v9/techniques/T1402"> Broadcast Receivers </a> </td> <td> An intent is a message passed between Android application or system components. Applications can register to receive broadcast intents at runtime, which are system-wide intents delivered to each app when certain events happen on the device, such as network changes or the user unlocking the screen. Malicious applications can then trigger certain actions within the app based on which broadcast intent was received. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1605"> T1605 </a> </td> <td> <a href="/versions/v9/techniques/T1605"> Command-Line Interface </a> </td> <td> Adversaries may use built-in command-line interfaces to interact with the device and execute commands. Android provides a bash shell that can be interacted with over the Android Debug Bridge (ADB) or programmatically using Java鈥檚 <code>Runtime</code> package. On iOS, adversaries can interact with the underlying runtime shell if the device has been jailbroken. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1575"> T1575 </a> </td> <td> <a href="/versions/v9/techniques/T1575"> Native Code </a> </td> <td> Adversaries may use Android鈥檚 Native Development Kit (NDK) to write native functions that can achieve execution of binaries or functions. Like system calls on a traditional desktop operating system, native code achieves execution on a lower level than normal Android SDK calls. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/versions/v9/techniques/T1603"> T1603 </a> </td> <td> <a href="/versions/v9/techniques/T1603"> Scheduled Task/Job </a> </td> <td> Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. On Android and iOS, APIs and libraries exist to facilitate scheduling tasks to execute at a specified date, time, or interval. </td> </tr> </tbody> </table> </div> </div> </div> </div> </div> </div> </div> </div>  <div class="overlay search" id="search-overlay" style="display: none;"> <div class="overlay-inner">  <div class="search-header"> <div class="search-input"> <input type="text" id="search-input" placeholder="search"> </div> <div class="search-icons"> <div class="search-parsing-icon spinner-border" style="display: none" id="search-parsing-icon"></div> <div class="close-search-icon" id="close-search-icon">×</div> </div> </div>  <div id="search-body" class="search-body"> <div class="results" id="search-results">  </div> <div id="load-more-results" class="load-more-results"> <button class="btn btn-default" id="load-more-results-button">load more results</button> </div> </div> </div> </div> </div> <footer class="footer p-3"> <div class="container-fluid"> <div class="row"> <div class="col-4 col-sm-4 col-md-3"> <div class="footer-center-responsive my-auto"> <a href="https://www.mitre.org" target="_blank" rel="noopener" aria-label="MITRE"> <img src="/versions/v9/theme/images/mitrelogowhiteontrans.gif" class="mitre-logo-wtrans"> </a> </div> </div> <div class="col-2 col-sm-2 footer-responsive-break"></div> <div class="col-6 col-sm-6 text-center"> <p> 漏 2015-2021, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. </p> <div class="row"> <div class="col text-right"> <small> <a href="/versions/v9/resources/privacy" class="footer-link">Privacy Policy</a> </small> </div> <div class="col text-center"> <small> <a href="/versions/v9/resources/terms-of-use" class="footer-link">Terms of Use</a> </small> </div> <div class="col text-left "> <small> <a href="/versions/v9/resources/changelog.html" class="footer-link" data-toggle="tooltip" data-placement="top" title="ATT&CK content version 9.0Website version 3.3.1">ATT&CK v9.0</a> </small> </div> </div> </div> <div class="w-100 p-2 footer-responsive-break"></div> <div class="col"> <div class="footer-float-right-responsive-brand"> <div class="mb-1"> <a href="https://twitter.com/MITREattack" class="btn btn-primary w-100">  <img src="/versions/v9/theme/images/twitter.png" class="mr-1 twitter-icon"> <b>@MITREattack</b> </a> </div> <div class=""> <a href="/versions/v9/contact" class="btn btn-primary w-100"> Contact </a> </div> </div> </div> </div> </div> </div> </footer> </div>  <script src="/versions/v9/theme/scripts/jquery-3.5.1.min.js"></script> <script src="/versions/v9/theme/scripts/popper.min.js"></script> <script src="/versions/v9/theme/scripts/bootstrap.bundle.min.js"></script> <script src="/versions/v9/theme/scripts/site.js"></script> <script src="/versions/v9/theme/scripts/flexsearch.es5.js"></script> <script src="/versions/v9/theme/scripts/localforage.min.js"></script> <script src="/versions/v9/theme/scripts/settings.js?688"></script> <script src="/versions/v9/theme/scripts/search_babelized.js"></script>  <script src="/versions/v9/theme/scripts/navigation.js"></script> </body> </html>

CINXE.COM

Execution, Tactic TA0041 - Mobile | MITRE ATT&CK®