M1006: Use Recent OS Version
New mobile operating system versions bring not only patches against discovered vulnerabilities but also often bring security architecture improvements that provide resilience against potential vulnerabilities or weaknesses that have not yet been discovered. They may also bring improvements that block use of observed adversary techniques.
Analyst context for executives and security teams
Using a recent mobile OS version is a resilience control, not just a patching habit. For mobile fleets, newer Android and iOS releases can close known vulnerabilities and add security architecture changes that make whole classes of app abuse, discovery, data access, permission misuse, and persistence harder. The business value is reducing the chance that an outdated device becomes the weak point for credential exposure, sensitive data collection, or operational disruption.
Executive priority
Treat mobile OS currency as a measurable risk and compliance control. Leaders should ask: which business-critical users and workflows still depend on unsupported or lagging mobile OS versions, how quickly can devices be upgraded, and what exceptions are documented? This mitigation is especially relevant where mobile devices access corporate identity, email, messaging, location-sensitive operations, or regulated data. Budget and policy decisions should prioritize upgrade paths, device replacement where upgrades are no longer available, and evidence that mobile OS version posture is tracked over time.
Technical view
MITRE does not provide detection guidance for M1006, so SOC and engineering teams should validate this as a posture and exposure-management control. Confirm that mobile device inventory includes OS version, update eligibility, and last check-in status. Map stale OS versions against the related mobile techniques MITRE says this mitigation addresses, including runtime code download, stored application data access, clipboard and input capture, software/process/file/network discovery, audio/video/location capture, removable-media style compromise paths, application executable compromise, event-triggered execution, device administrator abuse, execution guardrails, icon suppression, application removal prevention, and device lockout. Because related techniques span Android and iOS, coverage should be assessed separately by mobile platform and OS release family.
Likely telemetry
- Mobile device inventory with OS version and build level
- Mobile device management or enterprise mobility management compliance status
- Device update eligibility and support status
- Last device check-in or enrollment status
- Installed application inventory where available
Detection direction
- Validate that the organization can report current versus outdated mobile OS versions across enrolled devices; this is the primary evidence for this mitigation because no official ATT&CK detection text is provided.
- Tune compliance reporting to distinguish temporarily pending updates from devices that are unsupported, unenrolled, or no longer checking in.
- Prioritize investigation of outdated devices that also have access to sensitive applications, identity tokens, corporate email, or regulated data.
- Use relationship context to test visibility for behaviors newer OS versions may constrain, such as suspicious permission use, device administrator abuse, hidden applications, runtime code loading, and attempts to access clipboard, location, audio, video, files, or network configuration.
- Watch for blind spots from unmanaged personal devices, stale MDM enrollment, devices outside update support windows, and users delaying upgrades.
Mitigation priorities
- Establish a minimum supported mobile OS baseline for corporate access.
- Track OS version compliance through mobile device or endpoint management tooling.
- Require upgrades for devices below baseline when updates are available.
- Replace or restrict devices that cannot receive recent OS versions.
- Document and time-limit exceptions, especially for privileged users or devices accessing sensitive data.
Analyst notes and limits
M1006 is a broad mobile mitigation. Its strength is that recent OS versions can provide both vulnerability patches and security architecture improvements that may block or reduce many observed mobile adversary techniques. The supplied relationships show this mitigation connected to a wide set of Android and iOS mobile behaviors, with several Android-specific techniques. Defensive value should therefore be measured as fleet posture and control coverage rather than as a single alert.
The ATT&CK object does not specify platforms, tactics, or detection guidance for the mitigation itself. Platform detail comes from the supplied related techniques, not from M1006 directly. Local device inventory, MDM coverage, OS support timelines, and business access patterns are required to determine actual risk and priority.
Use Recent OS Version
New mobile operating system versions bring not only patches against discovered vulnerabilities but also often bring security architecture improvements that provide resilience against potential vulnerabilities or weaknesses that have not yet been discovered. They may also bring improvements that block use of observed adversary techniques.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1424 | Process Discovery | Android 7 and later iOS versions introduced changes that prevent applications from performing Process Discovery without elevated privileges. |
| Mobile | T1628.001 | Suppress Application Icon Sub-technique | Android 10 introduced changes to prevent malicious applications from fully suppressing their icon in the launcher.CitationAndroid 10 Limitations to Hiding App IconsCitationLauncherApps getActivityList |
| Mobile | T1641.001 | Transmitted Data Manipulation Sub-technique | Android 10 prevents applications from accessing clipboard data unless the application is on the foreground or is set as the device’s default input method editor (IME).CitationAndroid 10 Privacy Changes |
| Mobile | T1430 | Location Tracking | On Android 11 and up, users are not prompted with the option to select “Allow all the time” and must navigate to the settings page to manually select this option. On iOS 14 and up, users can select whether to provide Precise Location for each installed application. |
| Mobile | T1417.002 | GUI Input Capture Sub-technique | The `HIDE_OVERLAY_WINDOWS` permission was introduced in Android 12 allowing apps to hide overlay windows of type `TYPE_APPLICATION_OVERLAY` drawn by other apps with the `SYSTEM_ALERT_WINDOW` permission, preventing other applications from creating overlay windows on top of the current application.CitationAndroid 12 Features |
| Mobile | T1629.001 | Prevent Application Removal Sub-technique | Recent versions of Android modified how device administrator applications are uninstalled, making it easier for the user to remove them. |
| Mobile | T1636 | Protected User Data | OS feature updates often enhance security and privacy around permissions. |
| Mobile | T1626.001 | Device Administrator Permissions Sub-technique | Changes were introduced in Android 7 to make abuse of device administrator permissions more difficult.CitationGoogleIO2016 |
| Mobile | T1632.001 | Code Signing Policy Modification Sub-technique | Mobile OSes have implemented measures to make it more difficult to trick users into installing untrusted certificates and configurations. iOS 10.3 and higher add an additional step for users to install new trusted CA certificates and configuration profiles. On Android, apps that target compatibility with Android 7 and higher (API Level 24) default to only trusting CA certificates that are bundled with the operating system, not CA certificates that are added by the user or administrator, hence decreasing their susceptibility to successful adversary-in-the-middle attack.CitationSymantec-iOSProfile2CitationAndroid-TrustedCA |
| Mobile | T1409 | Stored Application Data | Android 9 introduced a new security policy that prevents applications from reading or writing data to other applications’ internal storage directories, regardless of permissions. |
| Mobile | T1407 | Download New Code at Runtime | Applications that target Android API level 29 or higher cannot execute native code stored in the application's internal data storage directory, limiting the ability of applications to download and execute native code at runtime. CitationAndroid 10 Execute |
| Mobile | T1627 | Execution Guardrails | New OS releases frequently contain additional limitations or controls around device location access. |
| Mobile | T1635 | Steal Application Access Token | iOS 11 introduced a first-come-first-served principle for URIs, allowing only the prior installed app to be launched via the URI.CitationTrend Micro iOS URL Hijacking Android 6 introduced App Links. |
| Mobile | T1512 | Video Capture | Android 9 and above restricts access to the mic, camera, and other device sensors from applications running in the background. iOS 14 and Android 12 introduced a visual indicator on the status bar (green dot) when an application is accessing the device’s camera.CitationAndroid Capture Sensor 2019 |
| Mobile | T1641 | Data Manipulation | Recent OS versions have limited access to certain APIs unless certain conditions are met, making Data Manipulation more difficult |
| Mobile | T1624.001 | Broadcast Receivers Sub-technique | Android 8 introduced additional limitations on the implicit intents that an application can register for.CitationAndroid Changes to System Broadcasts |
| Mobile | T1422 | System Network Configuration Discovery | Android 10 introduced changes that prevent normal applications from accessing sensitive device identifiers.CitationTelephonyManager |
| Mobile | T1661 | Application Versioning | Android 11 and above implement application hibernation, which can hibernate an application that has not been used for a few months and can reset the application’s permission requests.Citationapp_hibernation |
| Mobile | T1420 | File and Directory Discovery | Security architecture improvements in each new version of Android and iOS make it more difficult to escalate privileges. Additionally, newer versions of Android have strengthened the sandboxing applied to applications, restricting their ability to enumerate file system contents. |
| Mobile | T1636.005 | Accounts Sub-technique | OS feature updates often enhance security and privacy around permissions. |
| Mobile | T1642 | Endpoint Denial of Service | Android 7 changed how the Device Administrator password APIs function. |
| Mobile | T1629.002 | Device Lockout Sub-technique | Recent versions of Android modified how device administrator applications are uninstalled, making it easier for the user to remove them. Android 7 introduced updates that revoke standard device administrators’ ability to reset the device’s passcode. |
| Mobile | T1429 | Audio Capture | Android 9 and above restricts access to microphone, camera, and other sensors from background applications.CitationAndroid Capture Sensor 2019 |
| Mobile | T1638 | Adversary-in-the-Middle | Recent OS versions have made it more difficult for applications to register as VPN providers. |
| Mobile | T1417 | Input Capture | The `HIDE_OVERLAY_WINDOWS` permission was introduced in Android 12 allowing apps to hide overlay windows of type `TYPE_APPLICATION_OVERLAY` drawn by other apps with the `SYSTEM_ALERT_WINDOW` permission, preventing other applications from creating overlay windows on top of the current application.CitationAndroid 12 Features |
| Mobile | T1627.001 | Geofencing Sub-technique | New OS releases frequently contain additional limitations or controls around device location access. |
| Mobile | T1632 | Subvert Trust Controls | Mobile OSes have implemented measures to make it more difficult to trick users into installing untrusted certificates and configurations. iOS 10.3 and higher add an additional step for users to install new trusted CA certificates and configuration profiles. On Android, apps that target compatibility with Android 7 and higher (API Level 24) default to only trusting CA certificates that are bundled with the operating system, not CA certificates that are added by the user or administrator, hence decreasing their susceptibility to successful adversary-in-the-middle attack.CitationSymantec-iOSProfile2CitationAndroid-TrustedCA |
| Mobile | T1624 | Event Triggered Execution | Android 8 introduced additional limitations on the implicit intents that an application can register for.CitationAndroid Changes to System Broadcasts |
| Mobile | T1418.001 | Security Software Discovery Sub-technique | Android 11 introduced privacy enhancements to package visibility, filtering results that are returned from the package manager. iOS 12 removed the private API that could previously be used to list installed applications on non-app store applications.CitationAndroid Package Visibility |
| Mobile | T1414 | Clipboard Data | Android 10 introduced changes to prevent applications from accessing clipboard data if they are not in the foreground or set as the device’s default IME.CitationAndroid 10 Privacy Changes |
| Mobile | T1458 | Replication Through Removable Media | iOS 11.4.1 and higher introduce USB Restricted Mode, which disables data access through the device's charging port under certain conditions (making the port only usable for power), likely preventing this technique from working.CitationElcomsoft-iOSRestricted |
| Mobile | T1422.002 | Wi-Fi Discovery Sub-technique | Android 10 introduced changes that prevent normal applications from accessing sensitive device identifiers.CitationTelephonyManager |
| Mobile | T1418 | Software Discovery | Android 11 introduced privacy enhancements to package visibility, filtering results that are returned from the package manager. iOS 12 removed the private API that could previously be used to list installed applications on non-app store applications.CitationAndroid Package Visibility |
| Mobile | T1635.001 | URI Hijacking Sub-technique | iOS 11 introduced a first-come-first-served principle for URIs, allowing only the prior installed app to be launched via the URI.CitationTrend Micro iOS URL Hijacking Android 6 introduced App Links. |
| Mobile | T1577 | Compromise Application Executable | Many vulnerabilities related to injecting code into existing applications have been patched in previous Android releases. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 01133adea15c… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack M1006Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.