ATT&CK for Mobile: Reintroduction and 2022 Goals

With the huge rise in critical work data on smartphones over the past couple of years, mobile security is more important than ever before. With this in mind, since early 2021 we’ve been re-designing and rewriting the entirety of ATT&CK for Mobile. We’ve also spent a lot of time considering how we want to continue to enhance Mobile moving forward, including increasing community understanding of the mobile threat landscape.

ATT&CK for Mobile Redux

To start out with, we’d like to take this opportunity to (re)introduce ATT&CK for Mobile, by walking through why it exists, how it’s a bit different from ATT&CK for Enterprise, and what’s coming in 2022.

Our ATT&CK for Mobile expedition launched way back in 2016, leveraging community contributions and building on the National Institute for Standards and Technology (NIST) publication Assessing Threats to Mobile Devices & Infrastructure: The Mobile Threat Catalogue, and the accompanying Mobile Threat Catalogue website. ATT&CK for Mobile was originally created to help with the NIST National Cybersecurity Center of Excellence (NCCoE) Mobile Device Security project and the Department of Homeland Security’s Study on Mobile Device Security (2017).

Mobile devices, which we currently scope to smartphones and tablets running Android, iOS, or iPadOS, are almost always powered on, ubiquitously connected to a variety of networks, contain a vast array of sensors, and run a diverse set of applications. While these properties make mobile devices incredibly useful, they also bring significant security threats.

The security architectures featured on mobile devices are based on lessons learned from the traditional PC environment, notably by providing application sandboxes and permission controls. These architectures provide significant security advantages, but threats still exist against mobile devices. The same detection and mitigation approaches used in enterprise PC environments often don’t work in the mobile environment and alternate approaches have to be leveraged. When ATT&CK for Mobile was publicly released in 2017, the goal was to provide those alternate detection and mitigation approaches, and to serve as dedicated resource to the broader mobile community.

Matrix Structure

Like ATT&CK for ICS, and ATT&CK for Enterprise, ATT&CK for Mobile is a Domain in ATT&CK, with its own separate matrix and content. Despite this separation, Mobile’s matrix still leverages ATT&CK for Enterprise’s structure, just with a distinctly Mobile flavor. ATT&CK for Mobile currently features 92 techniques, each with Android and/or iOS (and iPadOS) specific descriptions, procedures, detections, and mitigations. Mobile also shares the same Software and Groups sections as ATT&CK for Enterprise, but with limited overlap between the Enterprise and Mobile entries.

Leveraging Mobile

The Mobile matrix can be operationalized for many of the same use cases as Enterprise ATT&CK. Some of the use cases we’ve seen include:

  • Determining and prioritizing development coverage of defensive capabilities
  • Identifying commonalities and distinguishing characteristics in adversary tradecraft
  • Connecting mitigations, weaknesses, and adversaries
  • Determining effective security testing strategies
  • Evaluating mobile security products with adversary emulations
  • Assessing the security posture of mobile devices

Additionally, with many organizations adopting ATT&CK for Mobile within their public threat intelligence reporting, we’re seeing it being used more frequency as a common language to describe adversary behavior. We’re also aware of ATT&CK for Mobile being used internally within vendors’ threat intelligence teams to categorize observations, as well as by vendors to map their mobile security product capabilities.

2022 ATT&CK for Mobile Roadmap

Now that you’ve had a Mobile refresher, we’d like to highlight what’s next in 2022. We noted these in the mobile section of the ATT&CK 2022 Roadmap, but wanted to spend some more time on the details given the size of the changes coming.


The mobile team has been refactoring and rewriting ATT&CK for Mobile over the last several months, with the goal of content equity with Enterprise. This included the language contained within the Mobile techniques themselves, as well as mobile-specific mitigations and detections. Most significantly, we’ve also been working towards the sub-technique structure Enterprise introduced a couple of years ago.

We plan on releasing a beta version of Mobile sub-techniques in April 2022 with the ATT&CK v11 release. Similar to Enterprise’s sub-technique rollout, we will be providing a crosswalk from old technique IDs to new technique IDs or mapping newly broken-out sub-techniques to higher level techniques. This should minimize the overhead incurred when transitioning to the new sub-technique structure.

The sub-technique beta release will be published on a separate website alongside the main ATT&CK website, clearly charting out the changes. This companion site will give the community a couple of months to preview, process, and provide feedback on the full scope of the changes before we finalize that version and make it official. Once we release the new ATT&CK for Mobile framework with sub-techniques, we welcome your feedback on the good, the bad, and the needs-adjustments. When we’re finished working through the input we receive from the community, we expect to replace the current matrix with the sub-technique structure by Summer 2022.

The screenshots below show a sample parent technique and two sub-techniques: Input Capture, Keylogging (sub), and GUI Input Capture (sub).

Input Capture ATT&CK technique with sub-technique structure.Input Capture Keylogging subtechnique.Input Capture GUI Input Capture subtechnique.

Data Sources

Once our sub-techniques are released, we’ll pivot to researching and drafting plans to introduce Data Source objects to Mobile, mirroring the concept of Data Source objects that Enterprise recently published. Some examples of mobile-specific Data Sources could include:

  • Application Binaries
  • Attestation APIs
  • Network Traffic

The new metadata provided by data sources includes the concepts of relationships and data components. These concepts will more effectively represent adversary behavior from a data perspective and will provide an additional sub-layer of context to data sources. Data components narrow the identification of security events, but also create a bridge between high- and low-level concepts to inform data collection strategies. They’ll also provide a good reference point to start mapping telemetry collected in your environment to specific sub(techniques) and/or tactics. With the additional context around each data source, the results can be leveraged with more detail when defining data collection strategy for techniques and sub-techniques.

Data Source object fields.

Mobile Threat Awareness Building

Building on the criticality of a collective community understanding of Mobile threats, we kicked off a mini-series back in 2021 highlighting significant threats to mobile devices, starting with abuse of Android application permissions. We plan to continue the series this year, underscoring some of the key mobile threats, and how to use ATT&CK for Mobile to mitigate them.

In Closing

Mobile’s matrix of adversary behavior has continued to grow with each new ATT&CK content release, in strong part due to the contributions we receive. ATT&CK for Mobile is an evolving effort and our goal is to continue to improve and mature the it. We rely on the mobile security community to share data and validate our content and look forward to collaborating with you to ensure the matrix remains beneficial.

We always welcome feedback on ATT&CK for Mobile, including how you view Mobile and Enterprise security together, and where we can improve. You can check out our Contributions page for additional information, or connect with us via email, Twitter, or Slack.

ATT&CK for Mobile: Reintroduction and 2022 Goals was originally published in MITRE ATT&CK® on Medium, where people are continuing the conversation by highlighting and responding to this story.

Article Link: