Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T1404: Exploitation for Privilege Escalation

Adversaries may exploit software vulnerabilities in order to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in an application, service, within the operating system software, or kernel itself to execute adversary-controlled code. Security constructions, such as permission levels, will often hinder access to information and use of certain techniques. Adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.

When initially gaining access to a device, an adversary may be operating within a lower privileged process which will prevent them from accessing certain resources on the system. Vulnerabilities may exist, usually in operating system components and applications running at higher permissions, that can be exploited to gain higher levels of access on the system. This could enable someone to move from unprivileged or user- level permission to root permissions depending on the component that is vulnerable.

MobileT1404TechniqueObject v2.1 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

Mobile privilege-escalation exploitation matters because a compromised app or process may be able to break out of normal Android or iOS permission boundaries and gain higher access to device data, identity tokens, applications, or operating system functions. For executives and security leaders, the decision point is whether mobile devices that access enterprise resources are patched, attested, and monitored well enough to keep a single vulnerable phone from becoming an unmanaged access path into business data.

Executive priority

Prioritize this behavior where mobile devices are used for email, collaboration, privileged workflows, regulated data, or executive communications. ATT&CK links this technique to multiple mobile malware families and one mobile campaign, showing that privilege escalation is a recurring pattern in mobile intrusion tradecraft. Leadership should ask whether the organization can prove mobile patch currency, block or limit enterprise access from outdated devices, identify rooted or jailbroken devices, and preserve enough mobile evidence for incident response and compliance review.

Technical view

T1404 applies to Android and iOS. The ATT&CK object does not specify tactics and provides no native detection text, so SOC and IR teams should validate coverage through mobile device posture, patch level, attestation results, compromised-device indicators, and EMM/MDM access-control events rather than assuming endpoint-style telemetry exists. Relationship context highlights DET0665 as a detection strategy and mitigations M1001 Security Updates, M1002 Attestation, and M1010 Deploy Compromised Device Detection Method. Defenders should test whether devices with old security patch levels, failed attestation, or rooted/jailbroken status are visible and whether access to enterprise resources is limited or blocked.

Likely telemetry

  • Android security patch level and OS version inventory from EMM/MDM or mobile management tooling
  • iOS version and device compliance posture from EMM/MDM or mobile management tooling
  • Remote attestation results where available, including pass/fail and device integrity status
  • Rooted or jailbroken device indicators from built-in controls, MDM/EMM, or mobile security tools
  • Enterprise access logs showing device compliance state at authentication or resource access time

Detection direction

  • Confirm whether DET0665-aligned detection logic exists in the environment or whether mobile privilege escalation is only addressed through policy compliance checks.
  • Tune detection and triage around device integrity changes, failed attestation, outdated patch levels, and signs of compromised devices rather than looking only for malware names.
  • Correlate mobile posture failures with enterprise authentication and resource access to determine whether an elevated-risk device had access to sensitive services.
  • Account for blind spots: ATT&CK provides no detection procedure here, mobile telemetry is often limited, and some compromised-device detection methods may be evasible per the mitigation context.
  • Use relationship context to inform threat modeling: several Android and iOS malware entries are associated with this behavior, but local detection should be based on observed device posture and telemetry, not assumed malware attribution.

Mitigation priorities

  • First, enforce security update hygiene: require recent Android and iOS security updates, prefer devices with clear vendor or carrier update commitments, and decommission devices that no longer receive updates.
  • Second, limit or block enterprise access from devices that have not installed recent security updates; for Android, use security patch level where available.
  • Third, enable remote attestation where available and prohibit devices that fail attestation from accessing enterprise resources.
  • Fourth, deploy compromised-device detection methods for rooted or jailbroken devices, while recognizing that some methods may be easier to evade than others.
  • Finally, maintain mobile incident response procedures for collecting device posture, access history, and management evidence when exploitation is suspected.
Analyst notes and limits

The strongest business value of this object is in mobile access governance: patch currency, attestation, compromised-device detection, and conditional access decisions. The relationship set includes Operation Triangulation and multiple malware families, including Android and iOS examples, which supports treating mobile privilege escalation as a material risk pattern without asserting current activity in any specific environment.

The supplied ATT&CK object has no official detection text and no specified tactics. Detection and control recommendations are therefore derived only from the provided platforms, description, external references, and relationships. Local device management capabilities, mobile telemetry availability, privacy constraints, and access-control architecture will determine practical coverage.

Official MITRE ATT&CK definition

Exploitation for Privilege Escalation

Adversaries may exploit software vulnerabilities in order to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in an application, service, within the operating system software, or kernel itself to execute adversary-controlled code. Security constructions, such as permission levels, will often hinder access to information and use of certain techniques. Adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.

When initially gaining access to a device, an adversary may be operating within a lower privileged process which will prevent them from accessing certain resources on the system. Vulnerabilities may exist, usually in operating system components and applications running at higher permissions, that can be exploited to gain higher levels of access on the system. This could enable someone to move from unprivileged or user- level permission to root permissions depending on the component that is vulnerable.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Associated objects

Groups, software, and campaigns

Malware Mobile

S1061: AbstractEmu

AbstractEmu is mobile malware that was first seen in Google Play and other third-party stores in October 2021. It was discovered in 19 Android applications, of which at least 7 abused known Android exploits for obtaining root permissions. AbstractEmu was observed primarily impacting users in the United States, however victims are believed to be across a total of 17 countries.[1]

Android
Malware Mobile

S0405: Exodus

Exodus is Android spyware deployed in two distinct stages named Exodus One (dropper) and Exodus Two (payload).[1]

Android
Malware Mobile

S0440: Agent Smith

Agent Smith is mobile malware that generates financial gain by replacing legitimate applications on devices with malicious versions that include fraudulent ads. As of July 2019 Agent Smith had infected around 25 million devices, primarily targeting India though effects had been observed in other Asian countries as well as Saudi Arabia, the United Kingdom, and the United States.[1]

Android
Malware Mobile

S0290: Gooligan

Gooligan is a malware family that runs privilege escalation exploits on Android devices and then uses its escalated privileges to steal authentication tokens that can be used to access data from many Google applications. Gooligan has been described as part of the Ghost Push Android malware family. [1] [2] [3]

Android
Malware Mobile

S0182: FinFisher

FinFisher is a government-grade commercial surveillance spyware reportedly sold exclusively to government agencies for use in targeted and lawful criminal investigations. It is heavily obfuscated and uses multiple anti-analysis techniques. It has other variants including Wingbird. [1] [2] [3] [4] [5]

WindowsAndroid
Malware Mobile

S0420: Dvmap

Dvmap is rooting malware that injects malicious code into system runtime libraries. It is credited with being the first malware that performs this type of code injection.[1]

Android
Relationship explorer

All related ATT&CK context

uses · Malware S0293: BrainTest Mobile uses · Malware S0463: INSOMNIA Mobile uses · Campaign C0054: Operation Triangulation Mobile detects · Detection Strategy DET0665: Detection of Exploitation for Privilege Escalation Mobile mitigates · Mitigation M1001: Security Updates Mobile uses · Malware S1061: AbstractEmu Mobile mitigates · Mitigation M1002: Attestation Mobile uses · Malware S0494: Zen Mobile uses · Malware S0405: Exodus Mobile uses · Malware S0316: Pegasus for Android Mobile uses · Malware S0289: Pegasus for iOS Mobile uses · Malware S0440: Agent Smith Mobile uses · Malware S0550: DoubleAgent Mobile uses · Malware S0290: Gooligan Mobile uses · Malware S0182: FinFisher Mobile uses · Malware S0420: Dvmap Mobile mitigates · Mitigation M1010: Deploy Compromised Device Detection Method Mobile uses · Malware S0322: HummingBad Mobile uses · Malware S0324: SpyDealer Mobile uses · Malware S0327: Skygofree Mobile uses · Malware S1185: LightSpy Mobile uses · Malware S1126: Phenakite Mobile uses · Malware S0294: ShiftyBug Mobile
Mitigations

Mitigation direction

Mitigation Mobile

M1001: Security Updates

Install security updates in response to discovered vulnerabilities.

Purchase devices with a vendor and/or mobile carrier commitment to provide security updates in a prompt manner for a set period of time.

Decommission devices that will no longer receive security updates.

Limit or block access to enterprise resources from devices that have not installed recent security updates.

On Android devices, access can be controlled based on each device's security patch level. On iOS devices, access can be controlled based on the iOS version.

Mitigation Mobile

M1002: Attestation

Enable remote attestation capabilities when available (such as Android SafetyNet or Samsung Knox TIMA Attestation) and prohibit devices that fail the attestation from accessing enterprise resources.

Mitigation Mobile

M1010: Deploy Compromised Device Detection Method

A variety of methods exist that can be used to enable enterprises to identify compromised (e.g. rooted/jailbroken) devices, whether using security mechanisms built directly into the device, third-party mobile security applications, enterprise mobility management (EMM)/mobile device management (MDM) capabilities, or other methods. Some methods may be trivial to evade while others may be more sophisticated.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
2.1
Created
Modified
Raw hash
986e908e31daa4c6...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 2.1 Current bundle 986e908e31da…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    NIST Mobile Threat Catalogue APP-26
    Open source URL
  2. [2]
    mitre-attack T1404
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use