The adversary is trying to manipulate, interrupt, or destroy your devices and data.
The impact tactic consists of techniques used by the adversary to execute his or her mission objectives but that do not cleanly fit into another category such as Collection. Mission objectives vary based on each adversary's goals, but examples include toll fraud, destruction of device data, or locking the user out of his or her device until a ransom is paid.
| ID | Name | Description | |
| T1616 | Call Control | Adversaries may make, forward, or block phone calls without user authorization. This could be used for adversary goals such as audio surveillance, blocking or forwarding calls from the device owner, or C2 communication. | |
| T1448 | Carrier Billing Fraud | A malicious app may trigger fraudulent charges on a victim’s carrier billing statement in several different ways, including SMS toll fraud and SMS shortcodes that make purchases. | |
| T1510 | Clipboard Modification |
Adversaries may abuse clipboard functionality to intercept and replace information in the Android device clipboard. Malicious applications may monitor the clipboard activity through the ClipboardManager.OnPrimaryClipChangedListener interface on Android to determine when the clipboard contents have changed. Listening to clipboard activity, reading the clipboard contents, and modifying the clipboard contents requires no explicit application permissions and can be performed by applications running in the background, however, this behavior has changed with the release of Android 10.
|
|
| T1471 | Data Encrypted for Impact | An adversary may encrypt files stored on the mobile device to prevent the user from accessing them, for example with the intent of only unlocking access to the files after a ransom is paid. Without escalated privileges, the adversary is generally limited to only encrypting files in external/shared storage locations. This technique has been demonstrated on Android. We are unaware of any demonstrated use on iOS. | |
| T1447 | Delete Device Data | Adversaries may wipe a device or delete individual files in order to manipulate external outcomes or hide activity. An application must have administrator access to fully wipe the device, while individual files may not require special permissions to delete depending on their storage location. | |
| T1446 | Device Lockout | An adversary may seek to lock the legitimate user out of the device, for example to inhibit user interaction or to obtain a ransom payment. | |
| T1472 | Generate Fraudulent Advertising Revenue | An adversary could seek to generate fraudulent advertising revenue from mobile devices, for example by triggering automatic clicks of advertising links without user involvement. | |
| T1516 | Input Injection | A malicious application can inject input to the user interface to mimic user interaction through the abuse of Android's accessibility APIs. | |
| T1452 | Manipulate App Store Rankings or Ratings | An adversary could use access to a compromised device's credentials to attempt to manipulate app store rankings or ratings by triggering application downloads or posting fake reviews of applications. This technique likely requires privileged access (a rooted or jailbroken device). | |
| T1400 | Modify System Partition | If an adversary can escalate privileges, he or she may be able to use those privileges to place malicious code in the device system partition, where it may persist after device resets and may not be easily removed by the device user. | |
| T1582 | SMS Control | Adversaries may delete, alter, or send SMS messages without user authorization. This could be used to hide C2 SMS messages, spread malware, or various external effects. | |