Skip to content

SC-018: Mobile Device Compromise

Scenario Header

Type: Mobile / Endpoint  |  Difficulty: ★★★☆☆  |  Duration: 2–3 hours  |  Participants: 4–8

Threat Actor: eCrime group — data theft via mobile attack chain targeting BYOD environments

Primary ATT&CK Techniques: T1444 · T1407 · T1430 · T1417 · T1636 · T1521 · T1474.001

Threat Actor Profile

JADE SERPENT is a cybercrime group active since 2023, specializing in mobile-first attack campaigns targeting organizations with permissive BYOD (Bring Your Own Device) policies. The group develops custom Android malware disguised as productivity and utility applications, distributed via third-party app stores and targeted phishing messages. Their malware family, internally tracked as DroidHook, combines credential harvesting, screen recording, and corporate data exfiltration capabilities.

JADE SERPENT targets the healthcare and pharmaceutical sectors, where BYOD adoption is high, mobile access to corporate resources is common, and the data (patient records, clinical trial data, drug formulations) commands premium prices on underground markets. Their average intrusion duration is 45–90 days, and they typically exfiltrate 5–20GB of corporate data per compromised device.

Motivation: Financial — stolen healthcare data sold on underground markets ($250–$1,000 per patient record), corporate espionage, and ransomware deployment (secondary objective).

Scenario Narrative

Phase 1 — Social Engineering & Malicious App Installation (~25 min)

JADE SERPENT targets MedDevice Corp, a medical device manufacturer with 3,500 employees and a BYOD program enrolling ~1,800 personal devices via Microsoft Intune MDM. The group identifies Dr. Rachel Torres, VP of Clinical Research, through LinkedIn reconnaissance. Dr. Torres uses a personal Samsung Galaxy S24 (Android 14) enrolled in MedDevice Corp's Intune MDM for email, Teams, and SharePoint access.

The attacker sends a targeted SMS (smishing) to Dr. Torres's personal phone:

"MedDevice Security: Your corporate account requires re-verification. Install the updated MedDevice Authenticator from: hxxps://meddevice-auth[.]app/download"

The link redirects to a convincing clone of the Google Play Store page for "MedDevice Authenticator" — a trojanized app that bundles legitimate Microsoft Authenticator functionality with the DroidHook malware. The APK is signed with a self-signed certificate (not Google Play Protect verified).

Dr. Torres, believing this is a legitimate IT security requirement, enables "Install from unknown sources" in her device settings and sideloads the application. Upon installation, DroidHook requests the following permissions:

Permission Justification Displayed Actual Use
Accessibility Service "Enhanced security scanning" Screen recording, keylogging
Device Admin "Remote wipe capability" Prevent uninstall, persist through reboot
Camera/Microphone "Biometric verification" Environmental audio capture
Storage "Secure document cache" File enumeration and exfiltration
Contacts "Directory synchronization" Contact harvesting for lateral phishing
SMS "Two-factor authentication" SMS interception for MFA bypass

Evidence Artifacts:

Artifact Detail
Intune MDM Log Device: Samsung Galaxy S24 — User: r.torres@meddevicecorp.com — Compliance status: Non-compliant (unknown sources enabled) — 2026-02-18T14:22:00ZAlert: Not generated (compliance check runs every 8 hours)
SMS Gateway (carrier) Inbound SMS to Dr. Torres's number from +1-555-0147 (spoofed) — Content: "MedDevice Security..." — 2026-02-18T14:15:33Z
Android Device Log APK installed: com.meddevice.authenticator — Source: browser download — Signing: self-signed (not Play Protect verified) — 2026-02-18T14:20:44Z
Google Play Protect Alert: "Potentially harmful app detected" — App: com.meddevice.authenticator — User action: Ignored warning, proceeded with install
Phase 1 — Discussion Inject

Technical: The Intune MDM compliance policy flags the device as non-compliant when "unknown sources" is enabled, but the compliance check only runs every 8 hours. What is the appropriate compliance check frequency? What Intune compliance action would you configure to immediately block corporate access upon non-compliance?

Decision: Dr. Torres ignored the Google Play Protect warning and sideloaded the app. Your security awareness training covers phishing emails but not smishing or malicious app sideloading. How do you update your training program to address mobile-specific threats? Should you technically prevent sideloading on enrolled devices, even though this is a personal (BYOD) device?

Expected Analyst Actions: - [ ] Review Intune compliance policies — identify the gap in compliance check frequency - [ ] Investigate the smishing message — trace the originating phone number and URL - [ ] Analyze the APK file in a mobile sandbox (e.g., Joe Sandbox Mobile, Corellium) - [ ] Check if other employees received similar smishing messages - [ ] Block the domain meddevice-auth[.]app at the DNS and web proxy level

Phase 2 — Permission Abuse & Credential Theft (~30 min)

With Accessibility Service access, DroidHook begins capturing Dr. Torres's screen activity and keystrokes. Over the next 72 hours, the malware captures:

  • Microsoft Intune Company Portal login credentials
  • Microsoft Teams authentication token (intercepted during app refresh)
  • Corporate email (Outlook Mobile) — read access via Accessibility screen scraping
  • VPN credentials for MedDevice Corp's GlobalProtect VPN (entered manually by Dr. Torres)
  • SMS-based MFA codes for 3 corporate applications (intercepted via SMS permission)

The malware establishes a C2 channel via Firebase Cloud Messaging (FCM) — a legitimate Google service — making network-based detection extremely difficult because FCM traffic is indistinguishable from normal Android push notification traffic.

DroidHook exfiltrates the following data to a C2 server at 198.51.100.88:

Credential Source Captured
r.torres@meddevicecorp.com / Tr0p!c@lF!sh2026 Outlook Mobile login 2026-02-18T14:35:00Z
Microsoft Teams OAuth token Token refresh interception 2026-02-18T15:02:33Z
GlobalProtect VPN: rtorres / M3dD3v!c3VPN Manual entry capture 2026-02-19T08:14:22Z
SMS MFA codes (6 intercepted) SMS permission 2026-02-18 through 2026-02-21
Data Type Volume Method
Email subjects and bodies (Outlook) 2,847 emails Accessibility screen scraping
Teams messages and attachments 340 messages, 47 files Screen capture + file access
Contact directory 1,247 contacts Contacts permission
Calendar entries 180 entries (3 months) Calendar provider access
Device photos (including whiteboard photos from meetings) 847 photos Storage permission

When Dr. Torres connects to MedDevice Corp's corporate WiFi (MedDevice-Corp-5G, WPA2-Enterprise), DroidHook performs network scanning:

  • Identified 14 internal hosts on 10.10.0.0/16
  • Discovered an internal wiki at 10.10.5.20:8080
  • Found an unpatched Jenkins server at 10.10.12.45:8443

Evidence Artifacts:

Artifact Detail
Network Flow Logs Device: Dr. Torres's Samsung Galaxy — Outbound to 198.51.100.88:443 — Volume: 12MB/day — Protocol: HTTPS — Mixed with FCM traffic to fcm.googleapis.com
Intune MDM Device compliance: Non-compliant — Reason: Unknown sources enabled, unmanaged app with Device Admin — First compliance check failure: 2026-02-18T22:00:00Z (8 hours post-install)
Microsoft Entra ID Sign-in: r.torres@meddevicecorp.com — Source: GlobalProtect VPN (203.0.113.155) — Device: Windows 10 (not Dr. Torres's registered devices) — 2026-02-21T03:14:00ZAttacker using stolen VPN credentials
WiFi Controller Logs Device: Samsung_S24_Torres — Connected to MedDevice-Corp-5G — Internal traffic: ARP scans to 10.10.0.0/162026-02-19T09:00:00Z through 2026-02-19T17:30:00Z
Phase 2 — Discussion Inject

Technical: DroidHook uses Firebase Cloud Messaging (FCM) for C2 communication, which blends with legitimate Android push notification traffic. How would you detect C2 over FCM? What mobile threat defense (MTD) solution capabilities would identify this behavior?

Decision: Dr. Torres's stolen VPN credentials are being used by the attacker from an unregistered device. You can (A) immediately disable Dr. Torres's account — but she's the VP of Clinical Research and is leading an FDA submission this week, or (B) implement a conditional access policy requiring device compliance before VPN access — but this takes 24 hours to deploy. What do you do in the interim?

Expected Analyst Actions: - [ ] Immediately revoke Dr. Torres's VPN credentials and force MFA re-registration - [ ] Block the C2 IP 198.51.100.88 at the corporate firewall - [ ] Deploy conditional access policy: require compliant device + managed app for corporate resource access - [ ] Review network flow logs for data exfiltration volume from Dr. Torres's device - [ ] Scan internal network for signs of lateral movement from the Jenkins server discovery

Phase 3 — Lateral Pivot to Corporate Network (~30 min)

Using Dr. Torres's stolen GlobalProtect VPN credentials, the attacker connects to MedDevice Corp's corporate network from an external IP (203.0.113.155). The VPN does not enforce device compliance checks — any device with valid credentials can connect.

Once on the VPN, the attacker targets the unpatched Jenkins server discovered during Phase 2 network reconnaissance (10.10.12.45:8443). The Jenkins instance runs version 2.387 with a known RCE vulnerability (synthetic CVE). The attacker gains code execution on the Jenkins server and discovers:

  • Jenkins credentials store containing 14 sets of credentials (SSH keys, API tokens, database passwords)
  • Pipeline configurations referencing production databases at 10.10.50.10 (PostgreSQL) and 10.10.50.11 (MongoDB)
  • Deployment SSH keys with access to 8 production servers

The attacker uses Jenkins pipeline credentials to access the MongoDB instance containing clinical trial data — including patient demographics, treatment outcomes, and adverse event reports for MedDevice Corp's flagship cardiac monitoring device.

Evidence Artifacts:

Artifact Detail
GlobalProtect VPN Log Session: rtorres — Source IP: 203.0.113.155 — Assigned IP: 10.10.200.47 — Duration: 4h 22m — 2026-02-21T03:14:00Z
Jenkins Access Log Login: admin (default) — Source IP: 10.10.200.47 (VPN pool) — 2026-02-21T03:28:44Z
Jenkins Audit Log Credential access: 14 stored credentials viewed — Script console: Groovy script executed — 2026-02-21T03:31:00Z
MongoDB Audit Log Authentication: jenkins-svc — Source IP: 10.10.12.45 (Jenkins server) — Collections accessed: clinical_trials.patient_data, clinical_trials.adverse_events — Documents read: 24,847 — 2026-02-21T03:45:00Z through 04:12:00Z
Network IDS (Suricata) Alert: "Potential data exfiltration — large MongoDB query result" — Source: 10.10.12.4510.10.50.11 — Size: 3.2GB — Severity: Medium
Phase 3 — Discussion Inject

Technical: The attacker pivoted from a compromised mobile device to the corporate network via VPN, then exploited an unpatched Jenkins server to reach production databases. How many security control failures were required for this attack chain to succeed? Map each failure to a specific control that should have prevented it.

Decision: The attacker accessed clinical trial patient data — 24,847 records including patient demographics and adverse event reports. This is regulated under FDA 21 CFR Part 11 and HIPAA. You must assess: (1) Is this a reportable breach under HIPAA? (2) Does this affect your pending FDA submission? (3) Who needs to be notified, and in what order? Draft a notification priority list.

Expected Analyst Actions: - [ ] Immediately terminate the VPN session for rtorres from 203.0.113.155 - [ ] Isolate the Jenkins server (10.10.12.45) from the network - [ ] Rotate all 14 credential sets stored in Jenkins - [ ] Assess MongoDB access scope — determine exact records and fields accessed - [ ] Preserve MongoDB audit logs and Jenkins logs for forensic analysis - [ ] Engage HIPAA breach counsel to assess notification requirements

Phase 4 — Detection & Remediation (~25 min)

The compromise is detected on 2026-02-22 when the SOC team investigates the Suricata alert for large MongoDB query results. The investigation reveals the full attack chain: smishing → malicious app → credential theft → VPN access → Jenkins exploit → data access.

Detection Timeline:

Time Event Detected By
T+0h Malicious app installed Google Play Protect (warning ignored by user)
T+8h Device non-compliant Intune MDM compliance check
T+72h VPN login from unknown device Entra ID sign-in log (no alert configured)
T+73h Jenkins exploitation No detection (unmonitored system)
T+74h MongoDB large query Suricata IDS alert (first actionable detection)
T+96h SOC investigation begins Manual triage of Suricata alert

Remediation Actions:

  • Revoke Dr. Torres's all credentials — Entra ID, VPN, email
  • Remote wipe corporate data from the compromised Samsung Galaxy via Intune selective wipe
  • Isolate Jenkins server and affected network segments
  • Block C2 IP 198.51.100.88 and domain meddevice-auth[.]app
  • Rotate all Jenkins-stored credentials
  • Forensic analysis of Dr. Torres's device (if recoverable) or MDM telemetry
  • Full credential rotation for all VPN users
  • Deploy conditional access: require managed + compliant device for VPN and all corporate apps
  • Patch Jenkins to current version
  • Conduct threat hunt across all MDM-enrolled devices for similar malware indicators
  • Deploy Mobile Threat Defense (MTD) solution integrated with Intune
  • Implement app protection policies (MAM) — containerize corporate data on BYOD devices
  • Redesign VPN architecture — enforce device compliance and certificate-based authentication
  • Conduct security awareness training focused on smishing and mobile threats
  • Review and harden all internal development tools (Jenkins, GitLab, etc.)

Evidence Artifacts:

Artifact Detail
Intune MDM Selective wipe initiated: r.torres@meddevicecorp.com — Device: Samsung Galaxy S24 — Corporate data removed — 2026-02-22T11:14:00Z
Suricata IDS Alert that triggered investigation: ET POLICY Large MongoDB Query Response — Severity: Medium — 2026-02-21T04:12:33Z — Triaged: 2026-02-22T09:00:00Z (29-hour delay)
Entra ID All tokens revoked for r.torres@meddevicecorp.com2026-02-22T11:00:00Z
Incident Report Total data exposed: 24,847 clinical trial records + 2,847 emails + corporate contacts + meeting photos — Regulatory: HIPAA breach assessment initiated
Phase 4 — Discussion Inject

Technical: The first actionable detection was the Suricata IDS alert at T+74 hours — nearly 3 days after the initial compromise. Multiple earlier signals existed (Play Protect warning, Intune non-compliance, VPN anomaly) but were not acted upon. How would you redesign detection to achieve sub-1-hour detection for this attack chain?

Decision: MedDevice Corp must now decide between MAM (Mobile Application Management) and MDM (Mobile Device Management) for their BYOD program. MAM provides app-level containerization without controlling the device, while MDM provides device-level control but raises employee privacy concerns. What are the tradeoffs, and which approach is appropriate for a healthcare organization handling clinical trial data?

Expected Analyst Actions: - [ ] Complete incident timeline and root cause analysis - [ ] Assess total data exposure — clinical trial data, emails, contacts, photos - [ ] Engage HIPAA breach counsel — determine if 60-day notification is required - [ ] Brief executive leadership on incident scope and regulatory implications - [ ] Initiate vendor selection for Mobile Threat Defense (MTD) solution - [ ] Update incident response playbooks to include mobile-specific attack chains

Detection Opportunities

Phase Technique ATT&CK Detection Method Difficulty
1 Malicious app sideload T1474.001 MDM compliance: block unknown sources, detect non-Play Store installs Easy
1 Smishing link T1660 SMS gateway analysis (limited for BYOD — carrier-dependent) Hard
2 Accessibility Service abuse T1407 MTD: detect apps requesting Accessibility + Device Admin Medium
2 Credential theft via screen scraping T1417 MTD: behavioral analysis of app screen access patterns Hard
2 C2 via FCM T1437 Network anomaly: unusual FCM traffic volume/patterns Hard
3 VPN from unregistered device T1078.004 Conditional Access: require managed device for VPN Easy
3 Jenkins exploitation T1190 Vulnerability scanning + Jenkins audit logging Medium
4 Large database query T1530 IDS/DLP: alert on anomalous database query volume Medium

MAM vs. MDM Comparison

Mobile Security Architecture Decision

Capability MDM (Device Management) MAM (App Management)
Scope Full device control Corporate apps only
Privacy Device-level visibility (may see personal apps, location) App-level only — no personal data visibility
Employee Acceptance Lower — "company controls my phone" perception Higher — clear work/personal separation
Security Posture Stronger — enforce device-wide policies (encryption, PIN, OS version) Moderate — app-level containerization, but device vulnerabilities remain
Sideloading Prevention Can block unknown sources device-wide Cannot prevent sideloading (app-level control only)
Remote Wipe Full device wipe or selective wipe Selective wipe of corporate data only
Recommended For Corporate-owned devices (COPE) BYOD programs with privacy-sensitive workforce

Recommendation for Healthcare BYOD: Deploy MAM with conditional access — containerize all corporate data within managed apps (Outlook, Teams, OneDrive), require app-level PIN/biometric, and integrate Mobile Threat Defense (MTD) for device-level risk assessment without full device management.

Key Discussion Questions

  1. Dr. Torres ignored the Google Play Protect warning and sideloaded a malicious app. How do you design security controls for BYOD that don't rely on user judgment while respecting device ownership?
  2. The Intune compliance check runs every 8 hours. For a healthcare organization, is this frequency adequate? What compliance check interval would you recommend, and what are the battery/performance tradeoffs?
  3. The attacker used Firebase Cloud Messaging for C2 — a legitimate Google service. How do you detect malicious use of legitimate services (FCM, Slack webhooks, Telegram bots) for C2 without blocking legitimate business communications?
  4. The attack chain required 5 control failures in sequence (sideloading, compliance delay, VPN without device check, unpatched Jenkins, MongoDB access). How do you prioritize remediation when resources are limited?
  5. What mobile-specific incident response procedures are missing from most IR playbooks? How does BYOD complicate evidence collection and forensic analysis?

Debrief Guide

What Went Well

  • Intune MDM did detect the non-compliance — the gap was check frequency and automated response
  • Suricata IDS caught the anomalous database query — network monitoring provided the actionable detection
  • Selective wipe capability allowed removal of corporate data without affecting personal device content

Key Learning Points

  • Mobile devices are a primary attack vector for BYOD environments — smishing and malicious app sideloading are the mobile equivalents of phishing and malware
  • MDM compliance check frequency matters — 8-hour intervals create a window of exposure that attackers can exploit
  • VPN without device compliance is a bypass vector — conditional access must enforce device health before granting network access
  • Mobile Threat Defense (MTD) is essential for BYOD — it provides device-level risk assessment without full MDM, detecting malicious apps, network attacks, and OS vulnerabilities
  • Internal development tools (Jenkins, GitLab) are high-value pivot targets — they store credentials and have access to production systems
  • [ ] Deploy Mobile Threat Defense (MTD) solution integrated with Intune conditional access
  • [ ] Implement MAM policies — containerize corporate data with app protection policies
  • [ ] Enforce conditional access for VPN — require compliant, managed device with MTD risk assessment
  • [ ] Reduce Intune compliance check interval to 1 hour for high-risk policies
  • [ ] Deploy certificate-based VPN authentication — eliminate password-only VPN access
  • [ ] Patch and harden Jenkins — remove default credentials, enable audit logging, restrict network access
  • [ ] Conduct smishing awareness training for all employees with BYOD enrollment
  • [ ] Implement database activity monitoring (DAM) for clinical trial databases

References