Threat list for MaaS360 MTD app
The threats and their associated risk rules for the MaaS360® MTD app.
Threat list
| Threat name | Description | Supported platform | Risk rule name |
|---|---|---|---|
| Abnormal Process Activity | Detected abnormal activity. Your device is being monitored for any attacks. | Android OS Chrome OS |
Abnormal Process Activity |
| Always-on VPN App Set | An app has been configured as an always-on VPN on this device. The app may monitor all device communications with the Internet. | Android OS Chrome OS |
App always on VPN |
| Android Debug Bridge (ADB) Apps Not Verified | Apps installed via Android Debug Bridge (ADB) are not required to be verified. This may allow malicious apps to be installed on the device. | Android OS Chrome OS |
Android Debug Bridge (ADB) Apps Not Verified |
| Android Debug Bridge (ADB) Wi-Fi Enabled | Wireless Developer Options is an advanced configuration option that is intended for development purposes only. When enabled, the user can change advanced settings remotely without a physical connection to the device, compromising the integrity of the device settings. | Android OS | Android Debug Bridge (ADB) Wi-Fi Enabled |
| App Debug Enabled | An app with debug enabled can pose a risk and allow an attacker to control and manipulate the underlying app functions. | Android OS | App Debug Enabled |
| App Pending Activation | App activation for the Mobile Threat Defense (MTD) application is not complete. | Android OS Apple OS Chrome OS |
Activation pending for MaaS360 MTD app |
| App Tampering | Existing app libraries may have been modified, or a foreign library may have been injected into the app. | Android OS Apple OS Chrome OS |
Suspicious Malware/spyware for Apps or Extensions |
| ARP Scan | A reconnaissance scan using the Address Resolution Protocol (ARP) is often an indicator of a malicious attacker searching for a device vulnerable to a network attack, such as Man-in-the-middle (MITM) attack. | Android OS | Protocol Scan |
| Battery Permission Required | The MaaS360 MTD app requires battery optimization permission to allow it to stay active when running in the background and ensure continuous protection on the device. | Android OS | Battery optimization permission denied for MaaS360 MTD app |
| BlueBorne Vulnerability | The device is vulnerable to a BlueBorne attack, which leverages Bluetooth connections to penetrate and take control of targeted devices. To avoid any risk from BlueBorne, the user needs to permanently turn off Bluetooth until an update is available from your device manufacturer or wireless carrier. For those users that still require the use of Bluetooth, it is recommended that Bluetooth is turned off until it is needed and only in a trusted and secure area. | Android OS Chrome OS |
Device Compromised |
| Bluetooth Permission Required | Bluetooth permission is required by the MaaS360 MTD app to detect unknown tag trackers that could be tracking the device's location. | Android OS | Access to Bluetooth information denied for MaaS360 MTD app |
| Captive Portal | Captive portal networks route traffic through a single proxy (portal), potentially opening up the traffic to monitoring. | Android OS Apple OS Chrome OS |
Captive Portal |
| Compromised by Spyware | This device has been compromised with malicious spyware. Malicious spyware is a type of malware that is designed to monitor and collect information from your device, and forwarding it to unknown servers, without user consent. | Apple OS | Suspicious Malware/spyware for Apps or Extensions |
| Daemon Anomaly |
A daemon anomaly indicates abnormal system process activities that can indicate that the device has been used. Note: Advanced Knox MTD is required.
|
Android OS | Device Compromised |
| Danger Zone Connected | The device is connected to a wifi network where malicious attacks have been observed. | Android OS Apple OS Chrome OS |
Compromised Access Point Connected |
| Developer Options | Developer Options is an advanced configuration option that is intended for development purposes only. When enabled, the user has the option to change advanced settings, compromising the integrity of the device settings. | Android OS Apple OS Chrome OS |
Devices with developer mode enabled |
| Device Admin Permission Required for Samsung Knox | Device admin permission is required by the MaaS360 MTD app to enable Samsung Knox functionality to protect devices from mobile threats. | Android OS | Device admin permission missing |
| Device Encryption | Encryption is not set up on the device and is needed to protect the device's content. | Android OS | Device encryption |
| Device Jailbroken / Rooted | Jailbreaking and rooting are the processes of gaining unauthorized access or elevated privileges on a system. Jailbreaking and rooting can potentially open security holes that may not have been apparent or undermine the built-in security measures of the device. | Android OS Apple OS Chrome OS |
Device jailbroken or rooted |
| Elevation of Privileges (EOP) | A malicious process that results in the elevation of privileges on the mobile device allows an attacker to take full control of the device. | Android OS Apple OS |
Elevation of Privileges |
| File System Changed |
A file system change occurred. Modifications made to files in the file system may sometimes lead to a malicious event. Note: The different device manufacturers affect the behavior of the threat event.
|
Android OS Apple OS Chrome OS |
File System Changed |
| Google Play Protect Disabled | Google Play Protect has been disabled on this device. Google Play Protect helps protect the device from malicious apps and needs to be re-enabled. | Android OS Chrome OS |
Google Play Protect Disabled |
| IP Scan | A reconnaissance scan using the IP protocol is often an indicator of a malicious attacker searching for a device vulnerable to a network attack, such as MITM. | Android OS | Protocol Scan |
| Link Verification Disabled - Safari Extension | Link verification using the Safari browser extension is disabled on the device. | Apple OS | Safari link verification disabled |
| Local Network Access Permission Required | Local network access is required by the app to enable the protection of devices from sophisticated wifi based network attacks. | Apple OS | Access to local network information denied for MaaS360 MTD app |
| Location Permission Required: Android | Location permission is required by the MaaS360 MTD app to protect devices from sophisticated network attacks. | Android OS | Access to location information denied for MaaS360 MTD app |
| Location Permission Required: iOS | Location permission is required by the MaaS360 MTD app to include location information when reporting mobile threats. Location data provides real-time information on nearby wifi risks. | Apple OS | Access to location information denied for MaaS360 MTD app |
| MITM | A man-in-the-middle attack occurred where a malicious attacker can hijack traffic, steal credentials, and deliver malware to the device. | Apple OS | Man in the Middle (MITM) attack |
| MITM - ARP | Man-in-the-Middle attack using ARP table poisoning where a malicious attacker can hijack traffic and steal credentials or deliver malware to the device. | Android OS | Man in the Middle (MITM) attack |
| MITM - Fake SSL Certificate | A man-in-the-middle attack using a fake certificate occurred, and this is when a malicious attacker can hijack traffic, steal credentials, and deliver malware to the device. | Android OS Apple OS Chrome OS |
Man in the Middle (MITM) attack |
| MITM - Fake SSL Certificate - Self Signed | A man-in-the-middle attack occurred using a fake self-signed certificate. This is when a malicious attacker can hijack traffic, steal credentials, and deliver malware to the device. | Android OS Apple OS |
Man in the Middle (MITM) attack |
| MITM - SSL Strip | A man-in-the-middle attack using SSL stripping allows a malicious attacker to change HTTPS traffic to HTTP, so they can hijack traffic, steal credentials, and deliver malware to the device. | Android OS Apple OS Chrome OS |
Man in the Middle (MITM) attack |
| Notification Permission Required | Notification permission is required by the MaaS360 MTD app for users to receive on-device alerts about mobile security. | Android OS Apple OS |
Notifications disabled for MaaS360 MTD app |
| Over-The-Air (OTA) Updates Disabled | Over-the-air (OTA) updates have been disabled on this device. OTA updates help keep a device's software up to date and more secure. | Android OS Chrome OS |
Over-the-air OS updates disabled |
| Phishing Protection - Link Tapped | A potentially malicious website address (URL) link was tapped on the device. | Android OS Apple OS Chrome OS |
Malicious URLs Access |
| Phishing Protection - Link Visited | A user tapped a potentially malicious URL on the device. The user was warned of potential danger with the linked site and chose to continue to the website after the warning. | Android OS Apple OS Chrome OS |
Malicious URLs Access |
| Proxy Change | Proxy configuration changes on the mobile device can be indicative of sending traffic to a non-intended destination. | Android OS | Proxy Change |
| Risky Site Blocked | A potentially malicious website address (URL) link was blocked on the device. | Android OS Apple OS Chrome OS |
Blocked URL access |
| Risky Site - Link Tapped | A potentially malicious website address (URL) link was tapped on the device. | Android OS Apple OS Chrome OS |
Risky URLs Access |
| Risky Site - Link Visited | A user tapped a potentially malicious link on the device. The user was warned of potential danger with the linked site and chose to continue to the website after the warning. | Android OS Apple OS Chrome OS |
Risky URLs Access |
| Rogue Access Point | Rogue access points exploit a device vulnerability to connect to a previously known wifi network by masking preferred and known networks. | Android OS Apple OS Chrome OS |
Compromised Access Point Connected |
| Rogue Access Point: Nearby | Rogue access points exploit device vulnerability to connect to a previously known wifi network by masking preferred and known networks. | Android OS Chrome OS |
Compromised Access Point Nearby |
| Sideloaded App(s) | Sideloaded apps are installed independently of an official app store and can present a security risk. | Android OS Apple OS Chrome OS |
Sideloaded App(s) |
| Site Blocked | A user tapped on website content not approved by your organization and the site was blocked. | Android OS Apple OS Chrome OS |
Blocked URL access |
| Site Warning - Link Tapped | Website content not approved by your organization was tapped on the device. | Android OS Apple OS Chrome OS |
Risky URLs Access |
| Site Warning - Link Visited | A user tapped on website content not approved by your organization. The user was warned the website content does not comply with your organization's policies and chose to continue to the website after the warning. | Android OS Apple OS Chrome OS |
Risky URLs Access |
| Storage Permission Required | The storage permission is required by the MaaS360 MTD app to scan the device's local storage to identify risky or malicious apps that may steal personal or sensitive information. | Android OS | Access to storage information denied for MaaS360 MTD app |
| System Tampering | System tampering is a process of removing security limitations that are in place by the device manufacturer, and it indicates that the device is fully compromised and can no longer be trusted. | Android OS Apple OS Chrome OS |
System Tampering |
| Tag Tracker Detected | A tag tracker is detected. This tag could be tracking the user's location. If this tag is not known to the user, it should be disabled. | Android OS | Tag Tracker Detected |
| TCP Scan | A reconnaissance scan using the TCP protocol is often an indicator of a malicious attacker searching for a device vulnerable to a network attack, such as MITM. | Android OS | Protocol Scan |
| Unknown Sources Enabled | App downloads from locations other than the Google Play store are enabled. | Android OS Chrome OS |
Download apps from unknown Sources Enabled |
| Unsecured Wi-Fi Network | A connection to an unsecured wifi network is detected, and these networks are not protected by encryption or authentication protocols and are open to attackers. | Android OS Apple OS |
Insecure Wi-Fi |
| USB Debugging Mode | USB debugging is an advanced configuration option intended for development purposes only. By enabling USB debugging, your device can accept commands from a computer when plugged into a USB connection. | Android OS Chrome OS |
Devices with USB debugging enabled |
| VPN Permission Required - Secure Web | The VPN permission is required to keep devices safe from risky websites. | Android OS Apple OS |
VPN configurations denied for MaaS360 MTD app - Secure Web |
| VPN Permission Required - Secure Wi-Fi | VPN permission is required by the MaaS360 MTD app to protect network data in the event of a malicious network attack. | Android OS Apple OS |
VPN configurations denied for MaaS360 MTD app - Secure Wi-Fi |
| Active ADB Session Detected | Android Debug Bridge (ADB) is an advanced debugging tool that is typically used to interact with the device during development and troubleshooting sessions. An active ADB session was detected and should be monitored closely. | Android OS | No associated rule |
| Actively Exploited Android Version | High-risk vulnerabilities are reported and actively exploited by malicious actors. Actively exploited vulnerabilities represent an immediate and known security threat, as attackers are already taking advantage of them. It is crucial to address actively exploited vulnerabilities quickly to protect systems and data from potential harm. | Android OS | No associated rule |
| Actively Exploited iOS Version | High-risk vulnerabilities are reported and actively exploited by malicious actors. Actively exploited vulnerabilities represent an immediate and known security threat, as attackers are already taking advantage of them. It is crucial to address actively exploited vulnerabilities quickly to protect systems and data from potential harm. | Apple OS | No associated rule |
| Android App Container | An application cloning environment was detected. This may be seen as an evasion technique from company security policies. | Android OS | No associated rule |
| Android Custom ROM | Using custom ROMs on mobile devices exposes users to significant security risks. Unlike official firmware from manufacturers, custom Read-only memory (ROM) often lack rigorous security testing and updates. This can lead to vulnerabilities like back doors, non-patched exploits, and malicious code. Additionally, custom ROMs can compromise device integrity, making it easier for attackers to access sensitive information. Users may also miss critical security patches, increasing the likelihood of exploitation by threats. | Android OS | No associated rule |
| Android Device - Compatibility not tested by Google | The profile of the Android device does not match the profile of any devices that have passed Google Android compatibility testing. | Android OS | No associated rule |
| Android Device - Possible Tampering | Possible tampering may have occurred with the Android device. | Android OS Chrome OS |
No associated rule |
| App Running on Emulator | An app running on an emulator can pose a risk and allow an attacker to control and manipulate the underlying operating environment. | Android OS Apple OS |
No associated rule |
| Apple Approved Marketplace Enabled | An Apple approved marketplace has been enabled on the device. Leveraging Apple approved marketplaces to install apps not directly from the Apple app store might put the device at risk. | Apple OS | No associated rule |
| Cellular Interception | Cellular interception is detected over your cellular network. This is suspicious behavior done by your cellular carrier, or potentially a third-party attack who has gained access to the carrier's network, or potentially a hardware radio device. The traffic flowing between your device and internet services has been tampered with. | Android OS Apple OS |
No associated rule |
| Cellular Network Change | The cellular network service provider has changed. | Android OS Apple OS |
No associated rule |
| Changes to System Libraries | OS system libraries have been changed. Changes to system libraries is not expected outside of OS updates and should be investigated. | Android OS Apple OS |
No associated rule |
| Crash Log Anomaly Detected - Non-System Process | Abnormal crashing of non-system processes is uncommon and can be an indicator of something more serious happening on the device and should be investigated as soon as possible. | Apple OS | No associated rule |
| Crash Log Anomaly Detected - System Process | Abnormal crashing of system processes is uncommon and can be an indicator of something more serious happening on the device and should be investigated as soon as possible. | Apple OS | No associated rule |
| Device Failed Basic Integrity Check | The device may not meet Android compatibility requirements and may not be approved to run Google Play services. | Android OS | No associated rule |
| Device Failed Integrity Check | The device may not meet Android compatibility requirements and may not be approved to run Google Play services. | Android OS | No associated rule |
| Device Failed Strong Integrity Check | The device may not pass system integrity checks or may not meet Android compatibility requirements. | Android OS | No associated rule |
| Device Pin | The device is not set up to use a PIN code or password to control access to the device. | Android OS Apple OS |
No associated rule |
| Enable Permissions for Zero-Touch Activation | When zero-touch activation is used, this threat will show that the user has not yet granted the necessary permissions for the application to fully function. | Android OS Apple OS |
No associated rule |
| File Pushed to a Sensitive Directory via ADB | Android Debug Bridge (ADB) is an advanced debugging tool typically used during development and troubleshooting sessions. During an active ADB session, a file was uploaded to a sensitive directory on the device, which is not normal and considered risky if not under active development or troubleshooting an incident. | Android OS | No associated rule |
| Filesystem Mount Points Changed | Filesystem mounts are often changed as a part of regular device behavior, but this can also occur as a part of a device attack. This is viewed as normal/low risk on its own but impacted devices should continue to be monitored for threats. | Android OS Apple OS |
No associated rule |
| Hacking Tools | A hacking tool is a program or utility designed to intentionally modify or work around the standard operation of a device, operating system, or application. While hacking tools have legitimate purposes, such as debugging, testing, and performance monitoring, they can also be exploited for malicious purposes, posing significant risks to the device and the data on the device. | Android OS | No associated rule |
| High Risk Browser Extension | A Google Chrome extension is detected that has one or more privacy and/or security concerns that may put your personal and confidential information at risk. | Not applicable | No associated rule |
| Inactive App | A certain amount of time has passed and the app has not communicated with the server. | Android OS Apple OS Chrome OS |
No associated rule |
| iOS Rapid Security Response Available | An iOS Rapid Security Response is available to be installed on the device. The Rapid Security Response contains important security improvements and should be installed as soon as possible. | Apple OS | No associated rule |
| iOS Shortcut Detection Disabled | The device is not configured to detect risky or malicious iOS shortcuts. This option must be enabled on the device. | Apple OS | No associated rule |
| iOS Shortcut Detection Outdated | The MTD shortcut installed on the device is out of date. Not having the latest version of the MTD shortcut will prevent the latest capabilities from being used. | Apple OS | No associated rule |
| iTunes WiFi Sync Enabled | The device is configured to connect and sync data and backups with an external device over wifi. | Apple OS | No associated rule |
| Link Verification Disabled - On-device VPN | Link verification using the on-device VPN is disabled on the device. | Android OS Apple OS |
No associated rule |
| Lockdown Mode Not Enabled | Lockdown mode is an iOS feature aimed at increasing the device's security. It is recommended that it be enabled. | Apple OS | No associated rule |
| Malicious iOS Shortcut Found | A potentially malicious iOS shortcut has been found to be installed on your device. iOS shortcuts might pose a significant security risk to your information. It is recommended to review the shortcut to determine whether or not it should be used. | Apple OS | No associated rule |
| OS Not Compliant - Android | The Android version is not compliant with the assigned OS compliance policy. The device has an Android upgrade available. | Android OS | No associated rule |
| OS Not Compliant - iOS | The iOS version is not compliant with the assigned OS compliance policy. The device has an iOS upgrade available. | Apple OS | No associated rule |
| OS Not Compliant and Not Upgradable - Android | The Android version is not compliant with the assigned OS compliance policy. The device does not have an Android upgrade available. | Android OS | No associated rule |
| OS Not Compliant and Not Upgradable - iOS | The iOS version is not compliant with the assigned OS compliance policy. The device does not have an iOS upgrade available. | Apple OS | No associated rule |
| OS Upgrade Available - Android | The Android version installed on the device is not up-to-date. New Android versions usually include security fixes. | Android OS | No associated rule |
| OS Upgrade Available - iOS | The iOS version installed on the device is not up-to-date. New iOS versions usually include security fixes. | Apple OS | No associated rule |
| Out of Compliance App | One or more apps are found on the device that are marked as Out-of- Compliance apps. | Android OS Apple OS Chrome OS |
No associated rule |
| Out of Compliance Browser Extension | A Google Chrome extension is detected that is marked out of compliance with your organization's policies. It is recommended that you remove it from your Google Chrome browser. | Not applicable | No associated rule |
| Phishing PDF File | A potentially malicious URL was detected within the PDF file. | Android OS | No associated rule |
| Protected App Sideloaded | The protected app is using an untrusted installation method, such as an unofficial app store. There is a risk that the app has been tampered and could contain malicious code or behave unexpectedly. | Android OS Apple OS |
No associated rule |
| Restart Device Reminder | Reminder to periodically restart the device. Periodically restarting the device helps with optimal performance and is a recommended security best practice. | Android OS Apple OS |
No associated rule |
| Risky iOS Shortcut Found | A potentially risky iOS shortcut has been found to be installed on your device. iOS shortcuts might pose a significant security risk to your information. It is recommended to review the shortcut to determine whether or not it should be used. | Apple OS | No associated rule |
| SELinux Disabled | Security-enhanced Linux (SELinux) is a security feature in the operating system that helps maintain the operating system's integrity. If SELinux has been disabled, the operating system's integrity may be compromised and should be investigated immediately. | Android OS | No associated rule |
| Sensitive File Downloaded from the Device via ADB | Android Debug Bridge (ADB) is an advanced debugging tool typically used during development and troubleshooting sessions. During an active ADB session, a sensitive file was downloaded from the device, exposing a potential risk of data loss of sensitive information of the device or user. | Android OS | No associated rule |
| Sideloaded App from High Risk App Store | A side-loaded app signed with a deny-listed certificate was detected. These certificates can be used to sign malicious apps on third-party app stores. | Apple OS | No associated rule |
| Sideloaded Browser Extension | A side-loaded extension is detected, which was not installed from an official web store. These extensions and their developers may not be verified and can present a security risk. | Not applicable | No associated rule |
| SIM Change | The Subscriber identity module (SIM) card that uniquely identifies the device or the state of the SIM (For example, Deactivated) has changed. Sensitive information about the device and of the user is stored on the SIM. Altering the SIM without knowledge or consent is a potential risk and should be investigated. | Android OS | No associated rule |
| Suspected Sideloaded iOS App | An iOS app that is suspected to have not come from a formal or approved Apple app store has
been detected on the device. User must run Deep Scan to confirm the sideloaded
application. |
Apple OS | No associated rule |
| Suspicious Android App | A known malicious app attempts to control the device in some manner, such as elevation of privileges or spyware. | Android OS Chrome OS |
No associated rule |
| Suspicious APK File | There is harmful code or behavior within the APK file, indicating a potential threat has been detected. | Android OS | No associated rule |
| Suspicious Browser Extension | An unsafe extension is detected. It is strongly recommended that you remove the extension immediately. | Not applicable | No associated rule |
| Suspicious iOS App | A known malicious app is detected and can attempt to take control of the device in some manner, such as elevation of privileges or spyware. | Apple OS | No associated rule |
| Suspicious PDF File | There is harmful code or behavior within the PDF file, indicating a potential threat has been detected. | Android OS | No associated rule |
| Suspicious Profile | A suspicious profile is a new profile introduced into the environment and is not explicitly trusted or untrusted. An administrator must review the profile and mark the profile as trusted or untrusted. | Apple OS | No associated rule |
| TestFlight App Installed | TestFlight is installed. TestFlight is a service provided by Apple that allows developers to distribute and test their applications with a group of testers before releasing them to the public. TestFlight is widely used by developers to ensure apps are stable and refined before public release. | Apple OS | No associated rule |
| Unlocked Bootloader | The device bootloader is unlocked. The device bootloader is a system-level tool that manages the device's boot process and helps maintain the integrity of the device. Unlocking the bootloader can compromise the integrity of the device by permitting special system-level access to install non-standard software and applications, elevating the risk of the device and the data on the device. | Android OS | No associated rule |
| Unscanned Files | Unscanned files pose potential risks. Immediate resume scan is advised. | Android OS Apple OS |
No associated rule |
| Untrusted Profile | An untrusted profile is a profile installed on one or more devices and is unsafe on your devices. An untrusted profile installed on devices can be used to control devices remotely, monitor and manipulate user activities, and hijack users' traffic. | Apple OS | No associated rule |
| VPN Connection Active | VPN Connection is active. VPN can be used to manipulate the device location and can be potentially a red flag used by fraudsters to mask their location during illegal transactions. | Android OS Apple OS |
No associated rule |
| Vulnerable Android Version | The Android version installed on the device has one or more critical vulnerabilities and is not up-to-date. The outdated operating system exposes the device to known vulnerabilities and the threat of being exploited by malicious actors. The Android version should be updated immediately. | Android OS Chrome OS |
No associated rule |
| Vulnerable iOS Version | The iOS version installed on the device has one or more critical vulnerabilities and is not up-to-date. The outdated operating system exposes the device to known vulnerabilities and the threat of being exploited by malicious actors. The iOS version should be updated immediately. | Apple OS | No associated rule |
| Vulnerable, Non-Upgradable Android Version | The device is running a vulnerable Android version. However, the device is not eligible for an operating system upgrade at this time. | Android OS Chrome OS |
No associated rule |
| Vulnerable, Non-Upgradable iOS Version | The device is running a vulnerable iOS version. However, the device is not eligible for an operating system upgrade at this time. | Apple OS | No associated rule |