Skip to content

Hide Navigation Hide TOC

Network Traffic Capture or Redirection - T1410 (3b0b604f-10db-41a0-b54c-493124d455b9)

An adversary may capture network traffic to and from the device to obtain credentials or other sensitive data, or redirect network traffic to flow through an adversary-controlled gateway to do the same.

A malicious app could register itself as a VPN client on Android or iOS to gain access to network packets. However, on both platforms, the user must grant consent to the app to act as a VPN client, and on iOS the app requires a special entitlement that must be granted by Apple.

Alternatively, if a malicious app is able to escalate operating system privileges, it may be able to use those privileges to gain access to network traffic.

An adversary could redirect network traffic to an adversary-controlled gateway by establishing a VPN connection or by manipulating the device's proxy settings. For example, Skycure (Citation: Skycure-Profiles) describes the ability to redirect network traffic by installing a malicious iOS Configuration Profile.

If applications encrypt their network traffic, sensitive data may not be accessible to an adversary, depending on the point of capture.

Cluster A Galaxy A Cluster B Galaxy B Level
Adversary-in-the-Middle - T1638 (08e22979-d320-48ed-8711-e7bf94aabb13) Attack Pattern Network Traffic Capture or Redirection - T1410 (3b0b604f-10db-41a0-b54c-493124d455b9) Attack Pattern 1