Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T1458: Replication Through Removable Media

Adversaries may move onto devices by exploiting or copying malware to devices connected via USB. In the case of Lateral Movement, adversaries may utilize the physical connection of a device to a compromised or malicious charging station or PC to bypass application store requirements and install malicious applications directly.[1] In the case of Initial Access, adversaries may attempt to exploit the device via the connection to gain access to data stored on the device.[2] Examples of this include: * Exploiting insecure bootloaders in a Nexus 6 or 6P device over USB and gaining the ability to perform actions including intercepting phone calls, intercepting network traffic, and obtaining the device physical location.[3] * Exploiting weakly-enforced security boundaries in Android devices such as the Google Pixel 2 over USB.[4] * Products from Cellebrite and Grayshift purportedly that can exploit some iOS devices using physical access to the data port to unlock the passcode.[5]

MobileT1458TechniqueObject v2.1 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

Replication Through Removable Media matters because a mobile device can be compromised through a physical USB connection, not only through apps, phishing, or network traffic. For executives and security leaders, the practical issue is whether corporate Android and iOS devices are protected when users connect them to PCs, charging stations, or other USB-accessible systems, especially in travel, field, legal, executive, or high-sensitivity environments.

Executive priority

Treat this as a mobile and physical-access risk that can affect business continuity, data protection, and incident response readiness. Priority decisions should focus on whether the organization can enforce mobile OS currency, security patch levels, locked bootloaders where applicable, and enterprise mobility policies before allowing access to enterprise resources. This technique also creates audit-relevant questions: can the business prove which mobile devices are managed, updated, and restricted from risky USB behaviors?

Technical view

ATT&CK lists Android and iOS as platforms and describes compromise or malware movement through USB-connected devices, malicious charging stations, or compromised PCs. No official detection text is provided, but the relationship context includes a detection strategy, DET0691, and mitigations for security updates, locked bootloaders, recent OS versions, user guidance, and enterprise policy. SOC, IR, and mobile security teams should validate whether mobile device management or enterprise mobility tooling can report OS version, security patch level, bootloader state where available, device compliance, and policy exceptions. Relationship context also shows WireLurker and DualToy as software that use this behavior, both involving malware interactions with mobile devices connected over USB.

Likely telemetry

  • Mobile device inventory and enrollment status from EMM/MDM systems
  • Android security patch level and iOS/Android OS version reporting
  • Device compliance state and enterprise resource access decisions
  • Bootloader lock status where the device and management stack support checking it
  • Records of devices that are unmanaged, out of support, or missing recent security updates

Detection direction

  • Confirm whether DET0691 or equivalent local detection logic exists and what data sources it depends on, because the ATT&CK object does not provide official detection guidance.
  • Hunt for gaps before tuning alerts: unmanaged mobile devices, unsupported OS versions, missing security patches, and devices allowed to access enterprise resources despite noncompliance.
  • Use relationship-driven context cautiously: WireLurker and DualToy show this behavior can involve compromised macOS or Windows systems installing malicious apps onto USB-connected mobile devices, so investigations may need both mobile and endpoint evidence.
  • Expect false positives around normal charging, backup, development, or support workflows; detection should distinguish authorized USB workflows from unusual or policy-violating device connection patterns where telemetry is available.
  • Validate IR playbooks for cases where the first observable evidence is not network traffic but a physical connection history, mobile compliance change, or suspicious application presence.

Mitigation priorities

  • Prioritize security updates and recent mobile OS versions; restrict enterprise access from devices that have not installed recent updates or are no longer supported.
  • Where supported, periodically verify that Android bootloaders remain locked.
  • Use EMM/MDM enterprise policy to enforce device compliance and reduce risky mobile behaviors before access to enterprise resources is granted.
  • Provide user guidance for avoiding risky USB connections, including untrusted charging stations or unknown PCs.
  • Decommission or block devices that can no longer receive timely security updates from the vendor or carrier.
Analyst notes and limits

This is a mobile ATT&CK technique with a strong physical-access and cyber-physical edge: a cable, charger, or connected PC can become part of the attack path. The supplied object has no ATT&CK tactics listed and no official detection narrative, so the most defensible Glexia position is to focus on control validation, mobile compliance evidence, and IR readiness rather than claiming reliable detection from endpoint or network monitoring alone.

Assessment is limited to the supplied ATT&CK fields, references, and relationships. The object supports Android and iOS only. It does not establish current exploitation, specific customer exposure, guaranteed detection coverage, or complete detection data sources. Local MDM/EMM capabilities, device models, OS versions, and policy enforcement determine practical coverage.

Official MITRE ATT&CK definition

Replication Through Removable Media

Adversaries may move onto devices by exploiting or copying malware to devices connected via USB. In the case of Lateral Movement, adversaries may utilize the physical connection of a device to a compromised or malicious charging station or PC to bypass application store requirements and install malicious applications directly.[1] In the case of Initial Access, adversaries may attempt to exploit the device via the connection to gain access to data stored on the device.[2] Examples of this include: * Exploiting insecure bootloaders in a Nexus 6 or 6P device over USB and gaining the ability to perform actions including intercepting phone calls, intercepting network traffic, and obtaining the device physical location.[3] * Exploiting weakly-enforced security boundaries in Android devices such as the Google Pixel 2 over USB.[4] * Products from Cellebrite and Grayshift purportedly that can exploit some iOS devices using physical access to the data port to unlock the passcode.[5]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Associated objects

Groups, software, and campaigns

Relationship explorer

All related ATT&CK context

uses · Malware S0312: WireLurker Mobile mitigates · Mitigation M1003: Lock Bootloader Mobile detects · Detection Strategy DET0691: Detection of Replication Through Removable Media Mobile mitigates · Mitigation M1006: Use Recent OS Version Mobile uses · Malware S0315: DualToy Mobile mitigates · Mitigation M1011: User Guidance Mobile mitigates · Mitigation M1012: Enterprise Policy Mobile mitigates · Mitigation M1001: Security Updates Mobile
Mitigations

Mitigation direction

Mitigation Mobile

M1003: Lock Bootloader

On devices that provide the capability to unlock the bootloader (hence allowing any operating system code to be flashed onto the device), perform periodic checks to ensure that the bootloader is locked.

Mitigation Mobile

M1006: Use Recent OS Version

New mobile operating system versions bring not only patches against discovered vulnerabilities but also often bring security architecture improvements that provide resilience against potential vulnerabilities or weaknesses that have not yet been discovered. They may also bring improvements that block use of observed adversary techniques.

Mitigation Mobile

M1011: User Guidance

Describes any guidance or training given to users to set particular configuration settings or avoid specific potentially risky behaviors.

Mitigation Mobile

M1012: Enterprise Policy

An enterprise mobility management (EMM), also known as mobile device management (MDM), system can be used to provision policies to mobile devices to control aspects of their allowed behavior.

Mitigation Mobile

M1001: Security Updates

Install security updates in response to discovered vulnerabilities.

Purchase devices with a vendor and/or mobile carrier commitment to provide security updates in a prompt manner for a set period of time.

Decommission devices that will no longer receive security updates.

Limit or block access to enterprise resources from devices that have not installed recent security updates.

On Android devices, access can be controlled based on each device's security patch level. On iOS devices, access can be controlled based on the iOS version.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
2.1
Created
Modified
Raw hash
19bb04476534985b...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 2.1 Current bundle 19bb04476534…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Lau-Mactans

    Lau et al.. (2013). Mactans: Injecting Malware Into iOS Devices Via Malicious Chargers. Retrieved December 23, 2016.

    Open source URL
  2. [2]
    Krebs-JuiceJacking

    Brian Krebs. (2011, August 17). Beware of Juice-Jacking. Retrieved December 23, 2016.

    Open source URL
  3. [3]
    IBM-NexusUSB

    Roee Hay. (2017, January 5). Android Vulnerabilities: Attacking Nexus 6 and 6P Custom Boot Modes. Retrieved January 11, 2017.

    Open source URL
  4. [4]
    GoogleProjectZero-OATmeal

    Jann Horn. (2018, September 10). OATmeal on the Universal Cereal Bus: Exploiting Android phones over USB. Retrieved September 18, 2018.

    Open source URL
  5. [5]
    Computerworld-iPhoneCracking

    Lucas Mearian. (2018, May 9). Two vendors now sell iPhone cracking technology – and police are buying. Retrieved November 17, 2024.

    Open source URL
  6. [6]
    NIST Mobile Threat Catalogue PHY-1
    Open source URL
  7. [7]
    NIST Mobile Threat Catalogue PHY-2
    Open source URL
  8. [8]
    NIST Mobile Threat Catalogue STA-6
    Open source URL
  9. [9]
    mitre-attack T1458
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use