T1658: Exploitation for Client Execution
Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to insecure coding practices that can lead to unanticipated behavior. Adversaries may take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Adversaries may use device-based zero-click exploits for code execution. These exploits are powerful because there is no user interaction required for code execution.
### SMS/iMessage Delivery
SMS and iMessage in iOS are common targets through Drive-By Compromise, Phishing, etc. Adversaries may use embed malicious links, files, etc. in SMS messages or iMessages. Mobile devices may be compromised through one-click exploits, where the victim must interact with a text message, or zero-click exploits, where no user interaction is required.
### AirDrop
Unique to iOS, AirDrop is a network protocol that allows iOS users to transfer files between iOS devices. Before patches from Apple were released, on iOS 13.4 and earlier, adversaries may force the Apple Wireless Direct Link (AWDL) interface to activate, then exploit a buffer overflow to gain access to the device and run as root without interaction from the user.
Analyst context for executives and security teams
Exploitation for Client Execution is a mobile technique where vulnerabilities in client applications or mobile delivery paths can be used to run code on Android or iOS devices. Its business significance is that compromise may occur through everyday user workflows such as messaging or file transfer, and in some cases described by ATT&CK, without user interaction. That makes mobile patch posture, device eligibility for enterprise access, and incident response readiness especially important for executives and security leaders.
Executive priority
Prioritize this as a resilience and governance issue for mobile fleets, especially where executives, administrators, or high-risk personnel use Android or iOS devices to access enterprise resources. The ATT&CK mitigation context points to security updates, supported devices, and restricting access from devices lacking recent updates. Leaders should ask whether mobile OS patch levels are measured, whether unsupported devices are decommissioned or blocked, and whether audit evidence can show timely update enforcement.
Technical view
ATT&CK lists Android and iOS as platforms and provides no official detection text, so SOC and IR teams should validate coverage through the related detection strategy DET0629 rather than assuming standard endpoint telemetry is sufficient. Technical validation should focus on whether teams can observe mobile OS version and security patch level, application update state, suspicious message or file-delivery context where available, AirDrop/AWDL exposure on applicable iOS versions, and post-exploitation indicators from known related mobile malware or campaign reporting when relevant. Relationship context includes Operation Triangulation using zero-click iMessage attachments, Pegasus for iOS, and LightSpy across Android and iOS among other platforms; use these relationships for threat-informed testing and intelligence enrichment, not as proof of local exposure.
Likely telemetry
- Mobile device inventory with OS version, model, vendor/carrier support status, and security patch level
- Mobile device management or enterprise mobility management compliance status
- Application inventory and client application update state
- Mobile security alerts or detection strategy outputs aligned to DET0629, where deployed
- Enterprise access logs showing device compliance state at authentication or resource access time
Detection direction
- Confirm whether mobile telemetry exists at all for Android and iOS; many SOC blind spots come from treating phones as unmanaged personal endpoints.
- Map current mobile detections to DET0629 and document what is actually observable versus inferred.
- Tune triage to account for low-interaction or zero-click scenarios described by ATT&CK; absence of a user click should not automatically close an investigation.
- Correlate mobile security alerts with device patch level, unsupported-device status, unusual enterprise access, and user reports.
- Use relationship context from Operation Triangulation, Pegasus for iOS, and LightSpy to guide threat-informed hunting, while avoiding attribution unless independent evidence supports it.
Mitigation priorities
- Establish security update enforcement as the primary control priority, consistent with ATT&CK mitigation M1001.
- Purchase and retain devices only where vendors or carriers provide prompt security updates for a defined support period.
- Decommission or restrict enterprise access from devices that no longer receive security updates.
- Use device compliance controls to limit or block access from Android devices below required security patch levels and iOS devices that do not meet update requirements, where supported.
- Provide user guidance under M1011 for risky links, files, messaging behavior, and device configuration choices, while recognizing that zero-click exploitation cannot be solved by awareness alone.
Analyst notes and limits
This object is mobile-specific and applies to Android and iOS. ATT&CK highlights SMS/iMessage delivery and iOS AirDrop/AWDL examples, including one-click and zero-click exploitation. The most decision-useful relationships are the DET0629 detection strategy and mitigations M1001 Security Updates and M1011 User Guidance. Campaign and software relationships provide threat context but should not be treated as evidence of current activity in any environment.
Official ATT&CK detection text is not provided, tactics are not specified in the supplied object, and no environment-specific telemetry is available here. The Glexia take therefore focuses on validation questions, telemetry requirements, and conservative control priorities rather than claiming guaranteed detection or exposure.
Exploitation for Client Execution
Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to insecure coding practices that can lead to unanticipated behavior. Adversaries may take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Adversaries may use device-based zero-click exploits for code execution. These exploits are powerful because there is no user interaction required for code execution.
### SMS/iMessage Delivery
SMS and iMessage in iOS are common targets through Drive-By Compromise, Phishing, etc. Adversaries may use embed malicious links, files, etc. in SMS messages or iMessages. Mobile devices may be compromised through one-click exploits, where the victim must interact with a text message, or zero-click exploits, where no user interaction is required.
### AirDrop
Unique to iOS, AirDrop is a network protocol that allows iOS users to transfer files between iOS devices. Before patches from Apple were released, on iOS 13.4 and earlier, adversaries may force the Apple Wireless Direct Link (AWDL) interface to activate, then exploit a buffer overflow to gain access to the device and run as root without interaction from the user.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Groups, software, and campaigns
S1185: LightSpy
First observed in 2018, LightSpy is a modular malware family that initially targeted iOS devices in Southern Asia before expanding to Android and macOS platforms. It consists of a downloader, a main executable that manages network communications, and functionality-specific modules, typically implemented as `.dylib` files (iOS, macOS) or `.apk` files (Android). LightSpy can collect VoIP call recordings, SMS messages, and credential stores, which are then exfiltrated to a command and control (C2) server.[1]
S0289: Pegasus for iOS
Pegasus for iOS is the iOS version of malware that has reportedly been linked to the NSO Group. It has been advertised and sold to target high-value victims.[1][2] The Android version is tracked separately under Pegasus for Android.
C0054: Operation Triangulation
Operation Triangulation is a mobile campaign targeting iOS devices.[1] The unidentified actors used zero-click exploits in iMessage attachments to gain Initial Access, then executed exploits and validators, such as Binary Validator before finally executing the TriangleDB implant.
All related ATT&CK context
Mitigation direction
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 51dc80723481… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack T1658Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.