S1126: Phenakite
Analyst context for executives and security teams
Phenakite matters because it represents mobile malware aimed at iOS users, not just traditional desktop or Android targets. For leaders, the practical issue is whether high-risk personnel using iPhones are covered by the same security, incident response, and evidence expectations as managed endpoints. The ATT&CK relationships show behaviors consistent with privilege escalation, input capture, local data collection, contact and SMS access, microphone/camera collection, tool transfer, and masquerading.
Executive priority
Treat Phenakite as a prompt to validate mobile security governance for iOS: who owns visibility, how quickly suspicious devices can be triaged, and whether executive, legal, communications, and field personnel have enforceable controls. Because ATT&CK provides no detection text for this object, priority should be on confirming telemetry availability, mobile device management posture, patch discipline, and incident response procedures rather than assuming SOC coverage exists.
Technical view
SOC and IR teams should map iOS mobile telemetry against the related techniques: Exploitation for Privilege Escalation, Input Capture, System Information Discovery, Audio Capture, Video Capture, Data from Local System, Ingress Tool Transfer, Contact List, SMS Messages, and Match Legitimate Name or Location. Validate whether mobile tooling can surface unusual permission use, suspicious application identity or placement, jailbreak or privilege-escalation indicators, unexpected access to contacts/SMS/local data, and anomalous network transfer activity from iOS devices. Since no official ATT&CK detection guidance is provided, detections should be derived from local MDM/EDR/mobile threat defense capabilities and tested with benign administrative and privacy-preserving scenarios.
Likely telemetry
- iOS device inventory, OS version, patch level, and jailbreak or integrity status
- Mobile device management compliance records and configuration profiles
- Application inventory, signing/source metadata, names, icons, and install locations where available
- Application permission grants or prompts for microphone, camera, contacts, and related sensitive access
- Mobile security alerts for privilege escalation, suspicious app behavior, or masquerading
Detection direction
- Confirm whether iOS devices are actually monitored; many endpoint-centric SOC programs have limited mobile visibility.
- Tune for suspicious combinations rather than single events: sensitive permission use plus unusual app identity, device integrity issues, or unexpected network transfer is more meaningful than a permission grant alone.
- Review false positives from legitimate communications, camera, conferencing, and contact-management applications before escalating.
- Use the relationship context to build coverage tests for collection behaviors: contacts, SMS where accessible, local files, audio/video, and input capture indicators.
- Track mobile patch and OS version exposure because the related privilege escalation behavior depends on exploitable software weaknesses.
Mitigation priorities
- Prioritize iOS patching and supported OS versions for managed devices, especially high-risk users.
- Enforce MDM baselines for application installation sources, device integrity, configuration compliance, and rapid lock/wipe or containment workflows.
- Limit and review sensitive permissions such as microphone, camera, contacts, and local data access where business processes allow.
- Maintain mobile incident response procedures, including escalation paths, privacy/legal handling, and evidence collection expectations.
- Educate targeted user groups that mobile devices are in scope for security reporting, especially when prompts, app identities, or device behavior appear unusual.
Analyst notes and limits
The supplied ATT&CK object identifies Phenakite as iOS mobile malware used by APT-C-23 and cites reporting that it was developed to address targeting of iPhone users. The most useful defensive value comes from the related mobile techniques, which indicate the types of collection, privilege, transfer, and masquerading behaviors defenders should validate against their mobile controls.
ATT&CK provides no official detection guidance, no tactics for this malware object, and no aliases or labels in the supplied fields. This summary does not establish current activity, customer exposure, or guaranteed detectability. Local device management, mobile security telemetry, legal constraints, and user population risk are required to determine actual coverage.
Phenakite
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1636.004 | SMS Messages Sub-technique | Phenakite can read SMS messages.Citationfb_arid_viper |
| Mobile | T1655.001 | Match Legitimate Name or Location Sub-technique | Phenakite can masquerade as the chat application "Magic Smile."Citationfb_arid_viper |
| Mobile | T1533 | Data from Local System | Phenakite can collect and exfiltrate WhatsApp media, photos and files with specific extensions, such as .pdf and .doc.Citationfb_arid_viper |
| Mobile | T1544 | Ingress Tool Transfer | Phenakite can download additional malware to the victim device.Citationfb_arid_viper |
| Mobile | T1429 | Audio Capture | Phenakite can record phone calls.Citationfb_arid_viper |
| Mobile | T1417 | Input Capture | Phenakite has used phishing sites for iCloud and Facebook if either of those were used for authentication during the chat sign up process.Citationfb_arid_viper |
| Mobile | T1426 | System Information Discovery | Phenakite can collect device metadata.Citationfb_arid_viper |
| Mobile | T1512 | Video Capture | Phenakite can capture pictures and videos.Citationfb_arid_viper |
| Mobile | T1636.003 | Contact List Sub-technique | Phenakite can exfiltrate the victim device’s contact list.Citationfb_arid_viper |
| Mobile | T1404 | Exploitation for Privilege Escalation | Phenakite has included exploits for jailbreaking infected devices.Citationfb_arid_viper |
Groups, software, and campaigns
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 991c7dedcae3… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
sentinelone_israel_hamas_war
Hegel, T., Milenkoski, A. (2023, October 24). The Israel-Hamas War | Cyber Domain State-Sponsored Activity of Interest. Retrieved March 4, 2024.
Open source URL -
[2]
fb_arid_viper
Flossman, M., Scott, M. (2021, April). Technical Paper // Taking Action Against Arid Viper. Retrieved November 17, 2024.
Open source URL -
[3]
mitre-attack S1126Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.