Live Active security incident? Get immediate response
MITRE ATT&CK® Mitigation

M1058: Antivirus/Antimalware

Mobile security products, such as Mobile Threat Defense (MTD), offer various device-based mitigations against certain behaviors.

MobileM1058MitigationObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

Mobile antivirus/antimalware and Mobile Threat Defense controls matter because they can reduce exposure to some device-based behaviors tied to mobile phishing and exploitation for initial access. For leaders, the decision value is not “do we have a tool,” but whether mobile security coverage is actually deployed, monitored, and integrated into incident response for Android and iOS risks where the related ATT&CK techniques apply.

Executive priority

Treat this mitigation as part of mobile resilience and identity-risk reduction. Mobile devices are often access points to corporate email, messaging, cloud apps, and privileged workflows, so phishing or exploitation on a device can become an enterprise incident. Executives should ask whether mobile security products are deployed to relevant user groups, whether alerts are reviewed by the SOC, and whether mobile incidents produce evidence usable for response, compliance, and risk decisions.

Technical view

ATT&CK provides this as a mobile mitigation, not a detection analytic. The supplied relationship context says it mitigates mobile Phishing (T1660) and Exploitation for Initial Access (T1664), both associated with Android and iOS in the related objects. SOC and IR teams should validate whether mobile security products generate actionable device, app, network, URL, and vulnerability or exploit-related signals; whether those signals are centralized; and whether response playbooks cover suspected malicious content delivery and suspected exploitation on mobile devices.

Likely telemetry

  • Mobile Threat Defense or mobile security product alerts
  • Mobile device inventory and enrollment status
  • Device posture and compliance state
  • Mobile app inventory and app reputation or risk findings
  • Suspicious URL, message, or content indicators where collected by mobile security tooling

Detection direction

  • Do not treat this mitigation as detection coverage by default; ATT&CK provides no official detection text for M1058.
  • Validate that mobile security alerts are ingested into the SOC workflow and mapped to mobile phishing and exploitation-for-initial-access scenarios.
  • Check coverage gaps for unmanaged, unenrolled, personally owned, or executive/high-risk devices where mobile security products may not be present.
  • Tune alert handling to distinguish user-reported suspicious messages, benign app behavior, policy violations, and higher-confidence malicious or exploit-related findings.
  • Correlate mobile security findings with identity, email, cloud access, and endpoint events when available, because mobile compromise may surface first as suspicious access rather than a traditional malware alert.

Mitigation priorities

  • Confirm which mobile populations require protection based on business risk, including users with sensitive data access or operational responsibilities.
  • Deploy and maintain mobile security products where appropriate, such as Mobile Threat Defense, with clear ownership for monitoring and response.
  • Integrate mobile security findings with incident response workflows so phishing and suspected exploitation cases are triaged consistently.
  • Use device posture, OS/application version visibility, and mobile security alerts to support vulnerability prioritization for mobile fleets.
  • Maintain policy evidence showing enrollment, alert review, and response outcomes for audit and compliance readiness where mobile access is in scope.
Analyst notes and limits

This ATT&CK object is a course-of-action mitigation in the mobile ATT&CK domain. Its official description is brief and states that mobile security products, such as Mobile Threat Defense, offer device-based mitigations against certain behaviors. The available relationship context ties the mitigation to mobile Phishing and Exploitation for Initial Access, which is the basis for the defensive framing here.

Platforms and tactics are not specified on the mitigation object itself, and no official detection guidance is provided. The practical value depends on local mobile device management, ownership model, telemetry integration, alert quality, and incident response process. This summary does not assert active exploitation, attribution, or guaranteed detection coverage.

Official MITRE ATT&CK definition

Antivirus/Antimalware

Mobile security products, such as Mobile Threat Defense (MTD), offer various device-based mitigations against certain behaviors.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

2 rows
Domain ID Name Relationship / procedure
Mobile T1660 Phishing

Some mobile security products offer a loopback VPN used for inspecting traffic. This could proactively block traffic to websites that are known for phishing or appear to be conducting a phishing attack.
Mobile T1664 Exploitation for Initial Access

Mobile security products can potentially detect if a device is vulnerable to a known exploit and can alert the user to update their device.
Relationship explorer

All related ATT&CK context

mitigates · Technique T1660: Phishing Mobile mitigates · Technique T1664: Exploitation for Initial Access Mobile
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
2cf79f97ffcdf7b7...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 2cf79f97ffcd…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack M1058
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use