Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T1638: Adversary-in-the-Middle

Adversaries may attempt to position themselves between two or more networked devices to support follow-on behaviors such as Transmitted Data Manipulation or Endpoint Denial of Service.

Adversary-in-the-Middle can be achieved through several mechanisms. For example, a malicious application may register itself as a VPN client, effectively redirecting device traffic to adversary-owned resources. Registering as a VPN client requires user consent on both Android and iOS; additionally, a special entitlement granted by Apple is needed for iOS devices. Alternatively, a malicious application with escalation privileges may utilize those privileges to gain access to network traffic.

Specific to Android devices, adversary-in-the-disk is a type of AiTM attack where adversaries monitor and manipulate data that is exchanged between applications and external storage.[1][2][3] To accomplish this, a malicious application firsts requests for access to multimedia files on the device (`READ_EXTERNAL STORAGE` and `WRITE_EXTERNAL_STORAGE`), then the application reads data on the device and/or writes malware to the device. Though the request for access is common, when used maliciously, adversaries may access files and other sensitive data due to abusing the permission. Multiple applications were shown to be vulnerable against this attack; however, scrutiny of permissions and input validations may mitigate this attack.

Outside of a mobile device, adversaries may be able to capture traffic by employing a rogue base station or Wi-Fi access point. These devices will allow adversaries to capture network traffic after it has left the device, while it is flowing to its destination. On a local network, enterprise techniques could be used, such as ARP Cache Poisoning or DHCP Spoofing.

If applications properly encrypt their network traffic, sensitive data may not be accessible to adversaries, depending on the point of capture. For example, properly implementing Apple’s Application Transport Security (ATS) and Android’s Network Security Configuration (NSC) may prevent sensitive data leaks.[4]

MobileT1638TechniqueObject v2.2 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

Adversary-in-the-Middle on mobile matters because it can turn a phone or tablet into an exposed communications path: traffic may be redirected through a malicious VPN-style app, captured after leaving the device through rogue Wi-Fi or cellular infrastructure, or manipulated through Android external storage abuse. For leaders, the key question is not only “are devices encrypted?” but whether mobile apps, permissions, OS currency, and network protections actually prevent sensitive business data from being observed or changed in transit.

Executive priority

Prioritize this where mobile devices access regulated data, identity sessions, banking/payment workflows, executive communications, or operational systems. The business decision value is in validating that Android and iOS fleets are on recent OS versions, that application traffic is protected with TLS and platform controls such as iOS App Transport Security and Android Network Security Configuration, and that audit evidence exists for mobile app permissions, VPN usage, and network exposure. This technique also supports follow-on behaviors such as transmitted data manipulation and endpoint denial of service, so it should be considered in incident response scoping when mobile network interception or suspicious mobile VPN behavior is suspected.

Technical view

For SOC, detection engineering, and IR teams, coverage should be validated across Android and iOS even though ATT&CK does not provide official detection text for this object. Focus on evidence of unusual mobile VPN registration or traffic redirection, applications requesting broad Android external storage permissions, use of insecure or weakly protected application network communication, and device connections to suspicious Wi-Fi or cellular infrastructure. Relationship context shows DET0623 detects this object, but no detection logic was supplied here; teams should treat it as a pointer to develop or map local detections rather than as proof of current coverage.

Likely telemetry

  • Mobile device inventory with OS version and platform: Android and iOS
  • Mobile application inventory, permissions, and entitlement data, especially VPN capability and Android external storage access
  • Mobile VPN configuration and consent/profile records where available
  • Application network security configuration evidence, including TLS usage, iOS ATS, and Android NSC posture
  • Network metadata for mobile traffic such as destination, DNS, proxy, TLS, and certificate-related observations where collected

Detection direction

  • Do not rely on a single network sensor: capture may occur inside the device through a VPN-style app, through Android storage abuse, or outside the device through rogue Wi-Fi/cellular infrastructure.
  • Validate whether mobile security tooling can surface newly installed or suspicious VPN-capable apps and unusual VPN/profile changes on Android and iOS.
  • Tune permission-review logic carefully: Android READ/WRITE external storage requests can be common, so prioritize apps handling sensitive data, apps from untrusted sources, or apps with weak input validation exposure.
  • Review mobile application traffic protections; unencrypted or improperly encrypted traffic is the condition that makes interception materially worse.
  • Correlate suspicious mobile app behavior with network observations such as unexpected access points, unusual traffic destinations, or certificate/TLS anomalies.

Mitigation priorities

  • Keep Android and iOS devices on recent OS versions, aligning with mitigation M1006, because newer mobile OS releases include patches and security architecture improvements.
  • Require application developers to encrypt application network traffic with TLS, aligning with M1009, and use platform protections such as iOS App Transport Security and Android Network Security Configuration where applicable.
  • Review mobile apps for insecure communication patterns, excessive external storage permissions, and insufficient input validation, especially for applications handling sensitive data.
  • Restrict or closely govern mobile VPN-capable applications and configuration profiles based on business need and user consent workflows.
  • Reduce exposure to rogue Wi-Fi access points through enterprise wireless governance and user/device policy where supported by the environment.
Analyst notes and limits

This ATT&CK object consolidates several older revoked mobile techniques, including network traffic capture/redirection, insecure communication eavesdropping, communication manipulation, rogue Wi-Fi access points, protocol downgrade, and rogue cellular base station concepts. Software relationships identify KeyRaider, Monokle, and S.O.V.A. as using this technique, but that relationship should not be interpreted as current activity or attribution in a local environment.

ATT&CK lists no tactics and provides no official detection text for T1638 in the supplied fields. The related detection strategy DET0623 is named but not described here. Practical detection and audit confidence therefore depend on local mobile management, application security testing, network logging, and incident response collection capabilities.

Official MITRE ATT&CK definition

Adversary-in-the-Middle

Adversaries may attempt to position themselves between two or more networked devices to support follow-on behaviors such as Transmitted Data Manipulation or Endpoint Denial of Service.

Adversary-in-the-Middle can be achieved through several mechanisms. For example, a malicious application may register itself as a VPN client, effectively redirecting device traffic to adversary-owned resources. Registering as a VPN client requires user consent on both Android and iOS; additionally, a special entitlement granted by Apple is needed for iOS devices. Alternatively, a malicious application with escalation privileges may utilize those privileges to gain access to network traffic.

Specific to Android devices, adversary-in-the-disk is a type of AiTM attack where adversaries monitor and manipulate data that is exchanged between applications and external storage.[1][2][3] To accomplish this, a malicious application firsts requests for access to multimedia files on the device (`READ_EXTERNAL STORAGE` and `WRITE_EXTERNAL_STORAGE`), then the application reads data on the device and/or writes malware to the device. Though the request for access is common, when used maliciously, adversaries may access files and other sensitive data due to abusing the permission. Multiple applications were shown to be vulnerable against this attack; however, scrutiny of permissions and input validations may mitigate this attack.

Outside of a mobile device, adversaries may be able to capture traffic by employing a rogue base station or Wi-Fi access point. These devices will allow adversaries to capture network traffic after it has left the device, while it is flowing to its destination. On a local network, enterprise techniques could be used, such as ARP Cache Poisoning or DHCP Spoofing.

If applications properly encrypt their network traffic, sensitive data may not be accessible to adversaries, depending on the point of capture. For example, properly implementing Apple’s Application Transport Security (ATS) and Android’s Network Security Configuration (NSC) may prevent sensitive data leaks.[4]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

6 rows
Domain ID Name Relationship / procedure
Mobile T1466 Downgrade to Insecure Protocols Downgrade to Insecure Protocols revoked by this object.
Mobile T1410 Network Traffic Capture or Redirection Network Traffic Capture or Redirection revoked by this object.
Mobile T1465 Rogue Wi-Fi Access Points Rogue Wi-Fi Access Points revoked by this object.
Mobile T1467 Rogue Cellular Base Station Rogue Cellular Base Station revoked by this object.
Mobile T1439 Eavesdrop on Insecure Network Communication Eavesdrop on Insecure Network Communication revoked by this object.
Mobile T1463 Manipulate Device Communication Manipulate Device Communication revoked by this object.
Associated objects

Groups, software, and campaigns

Malware Mobile

S0288: KeyRaider

KeyRaider is malware that steals Apple account credentials and other data from jailbroken iOS devices. It also has ransomware functionality. [1]

Malware Mobile

S0407: Monokle

Monokle is targeted, sophisticated mobile surveillanceware. It is developed for Android, but there are some code artifacts that suggests an iOS version may be in development.[1]

Android
Malware Mobile

S1062: S.O.V.A.

S.O.V.A. is an Android banking trojan that was first identified in August 2021 and has subsequently been found in a variety of applications, including banking, cryptocurrency wallet/exchange, and shopping apps. S.O.V.A., which is Russian for "owl", contains features not commonly found in Android malware, such as session cookie theft.[1][2]

Android
Relationship explorer

All related ATT&CK context

mitigates · Mitigation M1009: Encrypt Network Traffic Mobile revoked by · Technique T1466: Downgrade to Insecure Protocols Mobile revoked by · Technique T1410: Network Traffic Capture or Redirection Mobile revoked by · Technique T1465: Rogue Wi-Fi Access Points Mobile uses · Malware S0288: KeyRaider Mobile mitigates · Mitigation M1006: Use Recent OS Version Mobile uses · Malware S0407: Monokle Mobile revoked by · Technique T1467: Rogue Cellular Base Station Mobile revoked by · Technique T1439: Eavesdrop on Insecure Network Communication Mobile revoked by · Technique T1463: Manipulate Device Communication Mobile uses · Malware S1062: S.O.V.A. Mobile detects · Detection Strategy DET0623: Detection of Adversary-in-the-Middle Mobile
Mitigations

Mitigation direction

Mitigation Mobile

M1009: Encrypt Network Traffic

Application developers should encrypt all of their application network traffic using the Transport Layer Security (TLS) protocol to ensure protection of sensitive data and deter network-based attacks. If desired, application developers could perform message-based encryption of data before passing it for TLS encryption.

iOS's App Transport Security feature can be used to help ensure that all application network traffic is appropriately protected. Apple intends to mandate use of App Transport Security [1] for all apps in the Apple App Store unless appropriate justification is given.

Android's Network Security Configuration feature similarly can be used by app developers to help ensure that all of their application network traffic is appropriately protected [2].

Use of Virtual Private Network (VPN) tunnels, e.g. using the IPsec protocol, can help mitigate some types of network attacks as well.

Mitigation Mobile

M1006: Use Recent OS Version

New mobile operating system versions bring not only patches against discovered vulnerabilities but also often bring security architecture improvements that provide resilience against potential vulnerabilities or weaknesses that have not yet been discovered. They may also bring improvements that block use of observed adversary techniques.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
2.2
Created
Modified
Raw hash
2fc740a9ad3c76be...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 2.2 Current bundle 2fc740a9ad3c…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitd_kaspersky

    Drozhzhin, A. (2018, August 27). Man-in-the-Disk: A new and dangerous way to hack Android. Retrieved October 31, 2023.

    Open source URL
  2. [2]
    mitd_checkpoint

    Check Point Research Team. (2018, August 12). Man-in-the-Disk: A New Attack Surface for Android Apps. Retrieved October 31, 2023.

    Open source URL
  3. [3]
    mitd_checkpoint_research

    Makkaveev, S. (2018, August 12). Man-in-the-Disk: Android Apps Exposed via External Storage. Retrieved October 31, 2023.

    Open source URL
  4. [4]
    NSC_Android

    Lee, A., Ramirez, T. (2018, August 15). A Security Analyst’s Guide to Network Security Configuration in Android P . Retrieved February 7, 2024.

    Open source URL
  5. [5]
    NIST Mobile Threat Catalogue APP-0
    Open source URL
  6. [6]
    NIST Mobile Threat Catalogue APP-1
    Open source URL
  7. [7]
    NIST Mobile Threat Catalogue APP-8
    Open source URL
  8. [8]
    NIST Mobile Threat Catalogue CEL-3
    Open source URL
  9. [9]
    NIST Mobile Threat Catalogue ECO-12
    Open source URL
  10. [10]
    mitre-attack T1638
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use