Using the Insights Dashboard
The Insights page provides a preview of a dashboard feature that provides a management view over all enterprise devices, with a sample page view.
Device Pool - The pie graph shows the distribution of devices with the app activated and protected, with pending activation statuses.
Critical Devices - The number of devices with one or more critical threats over the last 90 days is shown.
Risky Devices - The number of devices with one or more risky events over the last 90 days is shown.
OS Risk - Android and iOS devices are vulnerable due to outdated and vulnerable operating system versions, and must be updated to remove this risk.
Current Security Score - The current security score across all devices is based on an assessment of the Mobile Security app activation, risks, and threats. It increases as the activation of the app increases and as device risks and threats decrease.
Note
The security score calculation is based on Device Pool, Critical Devices, Risky Devices, and OS Risk data. It does not include the number of devices that had critical threats and risky events over the last 90 days. This score is calculated using data from the previous day.
Security Score Trend - A security score graph can be displayed over a daily, weekly, or monthly time frame.
Key Features - The enabled or disabled status values for key features of the solution, such as MDM Integration and Advanced App Analysis.
Top Critical Events - The top five critical threats are sorted based on the number of events occurring over the last 90 days.
Top Risky Events - The top five risky events are sorted based on the number of events occurring over the last 90 days.
The critical threats shown in the Insights Dashboard
This section provides information on the threats and their meanings. These threats display for the threat policy, where system administrators can set severity levels.
Mitigating a threat is making the threat less of a risk or removing the risk altogether. Each threat indicates if it has automatic or manual mitigation.
Automatic - changes to the device or other risk factors can change, and the threat can be automatically mitigated through the Mobile security console or app. The status of the threat then changes from a Pending state to a Fixed state.
Manual - an administrator must mark the threat as fixed or approved.
Item | Threat description | Default Severity | Mobile Security for Android | Mobile Security for iOS | Mobile Security for Chrome OS | Security for Chrome | Internal threat name, ID | Mitigation | Vector | Tag | Mitre tactics |
|---|---|---|---|---|---|---|---|---|---|---|---|
Abnormal Process Activity (SDK) | Detected abnormal activity. Your device is being monitored for any attacks. | Elevated | Yes | - | Yes | - | ABNORMAL_PROCESS_ACTIVITY, 10 | Manual | Device | host.process.activity | Execution, Persistence, Impact |
Accessibility Active (SDK Only) | Detected app with accessibility service active. This feature may be abused by malware to capture passwords or two-factor authentication codes to gain access to other sensitive applications and even allow remote control of the device. | Low | - | - | - | - | ACCESSIBILITY_ACTIVE, 177 | Automatic | Malware | ACCESSIBILITY_ACTIVE | Defense Evasion, Impact |
Accessibility Active - Sideloaded App (SDK Only) | Detected sideloaded app with accessibility service active. This feature may be abused by malware to capture passwords or two-factor authentication codes to gain access to other sensitive applications and even allow remote control of the device. | Low | - | - | - | - | ACCESSIBILITY_ACTIVE_SIDELOADED, 190 | Automatic | Malware | ACCESSIBILITY_ACTIVE_SIDELOADED | Defense Evasion, Impact |
Active ADB Session Detected (SDK) | Android Debug Bridge (adb) is an advanced debugging tool typically used to interact with the device during development and troubleshooting sessions. An active adb session was detected and should be monitored closely. | Elevated | Yes | - | - | - | ACTIVE_ADB_SESSION, 187 | Automatic | Device | ACTIVE_ADB_SESSION | Execution |
Actively Exploited Android Version (SDK) | High-risk vulnerabilities have been reported and are actively being exploited by malicious actors. Actively exploited vulnerabilities represent an immediate and known security threat, as attackers are already taking advantage of them. It's crucial to address actively exploited vulnerabilities quickly to protect systems and data from potential harm. | Critical | Yes | - | - | - | ACTIVE_EXPLOIT_OS_ANDROID, 172 | Automatic | Device | host.vulnerable.android.active | Execution |
Actively Exploited iOS Version (SDK) | High-risk vulnerabilities have been reported and are actively being exploited by malicious actors. Actively exploited vulnerabilities represent an immediate and known security threat, as attackers are already taking advantage of them. It's crucial to address actively exploited vulnerabilities quickly to protect systems and data from potential harm. | Critical | - | Yes | - | - | ACTIVE_EXPLOIT_OS_IOS, 173 | Automatic | Device | host.vulnerable.ios.active | Execution |
Always-on VPN App Set (SDK) | An app has been configured as an always-on VPN on this device. The app may monitor all device communications with the Internet. | Elevated | Yes | - | Yes | - | ALWAYS_ON_VPN_APP_SET, 87 | Automatic | Devices | host.always_on_vpn_app | Collection, Exfiltration, Network Effects |
Android App Container (SDK) | An application cloning environment was detected. This may be seen as an evasion technique from company security policies. | Elevated | Yes | - | - | - | ANDROID_APP_CONTAINER, 169 | Automatic | Device | Android App Container | Defense Evasion |
Android Custom ROM (SDK) | Using custom ROMs on mobile devices exposes users to significant security risks. Unlike official firmware from manufacturers, custom ROMs often lack rigorous security testing and updates. This can lead to vulnerabilities like backdoors, unpatched exploits, and malicious code. Additionally, custom ROMs can compromise device integrity, making it easier for attackers to access sensitive information. Users may also miss critical security patches, increasing the likelihood of exploitation by cyber threats. | Elevated | Yes | - | - | - | ANDROID_CUSTOM_ROM, 203 | Automatic | Device | ANDROID_CUSTOM_ROM | - |
Android Debug Bridge (ADB) Apps Not Verified (SDK) | Apps installed via ADB are not required to be verified. This may allow malicious apps to be installed on the device. | Elevated | Yes | - | Yes | - | ANDROID_DEBUG_BRIDGE_APPS_NOT_VERIFIED, 85 | Automatic | Device | host.adb_apps_not_verified | Initial Access, Privilege Escalation, Persistence, Credential Access, Lateral Movement, Collection, Exfiltration |
Android Debug Bridge (ADB) Wi-Fi Enabled (SDK) | Wireless Developer Options is an advanced configuration option intended for development purposes only. When enabled, the user has the option to change advanced settings remotely without a physical connection to the device, compromising the integrity of the device settings. | Elevated | Yes | - | - | - | WIFI_DEBUGGING_ON, 156 | Manual | Device | host.wifi_debugging | Initial Access, Impact |
Android Device - Compatibility not tested by Google (SDK) | The profile of the Android device does not match the profile of any devices that have passed Google's Android compatibility testing. | Low | Yes | - | - | - | ANDROID_COMPATIBILITY_TESTING, 70 | Automatic | Device | host.SafetyNetAttestation.ctsProfileMatch-false | Initial Access, Impact |
Android Device - Possible Tampering (SDK) | Possible tampering may have occurred with the Android device. | Critical | Yes | - | Yes | - | ANDROID_BASIC_INTEGRITY, 71 | Automatic | Device | host.SafetyNetAttestation.basicintegrity-false | Execution, Persistence, Privilege Escalation, Impact |
Android Device Policy Not Installed (SDK) | Android Device Policy is not installed. Click the Enable button below to fix the issue. | Elevated | Yes | - | - | - | AMAPI_NOT_ENABLED, 216 | Automatic | Device | AMAPI_NOT_ENABLED | - |
App Debug Enabled (SDK) | An app with debug enabled can pose a risk and allow an attacker to control and manipulate the underlying app functions. | Elevated | Yes | - | - | - | DEBUG_ENABLED_APK, 103 | Automatic | Device | host.app_debug_enabled | Persistence, Impact, Collection |
App Integrity Check Failed (SDK Only) | Changes to the application code at runtime are associated with tampering, debugging or instrumenting of the app. This integrity violation highlights an active reverse engineering threat where | Critical | - | - | - | - | SIGNATURE_CHECK_FAILED, 194 | Automatic | Device | SIGNATURE_CHECK_FAILED | Initial Access, Defense Evasion |
App Pending Activation | App activation for the Mobile Threat Defense (MTD) application is not complete. Notification email: Indicates that the server detects the threat and sends a notification (email) without a device alert display within the application. | Low | Yes | Yes | Yes | - | DEVICE_PENDING_ACTIVATION, 200 | Automatic | Device | host.device_pending_activation | - |
App Running on Emulator (SDK) | An app running on an emulator can pose a risk and allow an attacker to control and manipulate the underlying operating environment. | Critical | Yes | Yes | - | - | DEVICE_EMULATOR, 104 | Automatic | Device | host.device_emulator | Discovery, Collection |
App Tampering (SDK) | Existing app libraries may have been modified, or a foreign library may have been injected into the app. | Critical | Yes | Yes | Yes | - | APP_TAMPERING, 75 | Automatic | Device | host.app_tampering | Execution, Persistence, Privilege Escalation, Defense Evasion |
Apple Approved Marketplace Enabled (SDK) | An Apple approved marketplace has been enabled on the device. Leveraging Apple approved marketplaces to install apps not directly from the Apple app store might put the device at risk. | Elevated | - | Yes | - | - | THIRD_PARTY_STORE, 196 | Automatic | Device | THIRD_PARTY_STORE | - |
ARP Scan (SDK) | A reconnaissance scan using the ARP protocol is often an indicator of a malicious attacker searching for a device vulnerable to a network attack, such as MITM. | Normal | Yes | - | - | - | ARP_SCAN, 3 | Automatic | Network | network.scan.arp | Network Effects, Discovery, Collection |
Battery Permission Required | The app requires battery optimization permission to allow it to stay active when running in the background and ensure continuous protection on the device. | Elevated | Yes | - | - | - | BATTERY_PERMISSION_REQUIRED, 144 | Automatic | Device | BATTERY_PERMISSION_REQUIRED | - |
BlueBorne Vulnerability (SDK) | The device is vulnerable to a BlueBorne attack, which leverages Bluetooth connections to penetrate and take control of targeted devices. To avoid any risk from BlueBorne, the user needs to permanently turn off Bluetooth until an update is available from your device manufacturer or wireless carrier. For those users that still require the use of Bluetooth, it is recommended that Bluetooth is turned off until it is needed and only in a trusted and secure area. | Elevated | Yes | - | Yes | - | BLUEBORNE_VULNERABLE, 69 | Automatic | Device | host.blueborne_vulnerability | Initial Access, Remote Service Effects |
Bluetooth Permission Required | Bluetooth permission is required by the app to detect unknown tag trackers that could be tracking the device's location. | Elevated | Yes | - | - | - | BLUETOOTH_PERMISSION_REQUIRED, 148 | Automatic | Device | BLUETOOTH_PERMISSION_REQUIRED, 148 | - |
Captive Portal (SDK) | Captive portal networks route traffic through a single proxy (portal), potentially opening up the traffic to monitoring. | Normal | Yes | Yes | Yes | - | CAPTIVE_PORTAL, 67 | Automatic | Network | network.captive_portal | Network Effects, Initial Access |
Cellular Interception (SDK) | Cellular interception is detected over your cellular network. This is suspicious behavior done by your cellular carrier, or potentially a third-party attack who has gained access to the carrier's network, or potentially a hardware radio device. The traffic flowing between your device and internet services has been tampered with. | Elevated | Yes | Yes | - | - | CELLULAR_INTERCEPTION, 175 | Automatic | Network | network.mitm.cellular_interception | - |
Cellular Network Change (SDK) | The cellular network service provider has changed. | Normal | Yes | Yes | - | - | CELLULAR_NETWORK_CHANGE, 167 | - | Network | CELLULAR_NETWORK_CHANGE | - |
Changes to System Libraries (SDK) | OS system libraries have been changed. Changes to system libraries is not expected outside of OS updates and should be investigated. | Elevated | Yes | Yes | - | - | SYSTEM_LIBRARY_CHANGES, 166 | Automatic | Device | SYSTEM_LIBRARY_CHANGES | Persistence, Privilege Escalation, Defense Evasion |
Compromised by Spyware (SDK) | This device has been compromised with malicious spyware. Malicious spyware is a type of malware designed to monitor and collect information from your device, and forwarding it to unknown servers, without user consent. | Critical | - | Yes | - | - | PEGASUS, 130 | Automatic | Device | host.pegasus | Initial Access, Command and Control |
Compromised Network (SDK) | A pattern of threats occurred that indicates the device is connected to a compromised network. Sensitive data on the device may be intercepted and could be monitored and modified by an unauthorized party. Type is composite. | Critical | Yes | Yes | Yes | - | COMPROMISED_NETWORK, 125 | Automatic | Network | pattern.compromised_network | Initial Access, Collection, Exfiltration, Network Effects |
Crash Log Anomaly Detected - Non-System Process (SDK) | Abnormal crashing of non-system processes is uncommon and can be an indicator of something more serious happening on the device and should be investigated as soon as possible. | Elevated | - | Yes | - | - | USER_PROCESS_CRASH, 208 | Automatic | Device | USER_PROCESS_CRASH | - |
Crash Log Anomaly Detected - System Process (SDK) | Abnormal crashing of system processes is uncommon and can be an indicator of something more serious happening on the device and should be investigated as soon as possible. | Elevated | - | Yes | - | - | SYSTEM_PROCESS_CRASH, 207 | Automatic | Device | SYSTEM_PROCESS_CRASH | - |
Daemon Anomaly (SDK) | A daemon anomaly indicates abnormal system process activities that can indicate that the device has been exploited. Note: Advanced Knox MTD is required. | Low | Yes | - | - | - | DAEMON_ANOMALY, 43 | Automatic | Device | host.daemon_anomaly | Persistence, Privilege Escalation, Execution |
Danger Zone Connected | The device connected to a Wi-Fi network where malicious attacks have been observed. | Low | Yes | Yes | Yes | - | DANGERZONE_CONNECTED, 79 | Automatic | Network | network.danger_zone_connected | Initial Access, Network Effects |
Danger Zone Nearby - deprecated | The device is near a Wi-Fi network where malicious attacks have been observed. | Normal | Yes | Yes | Yes | - | DANGERZONE_NEARBY, 80 | Automatic | Network | network.danger_zone_nearby | Initial Access, Network Effects |
Detection Inactive - deprecated | Mobile threat detection is inactive. No method of detection is active, either from the app or VPN. | Elevated | Yes | Yes | Yes | - | DETECTION_INACTIVE, 1007 | Automatic | Device | host.detection_inactive | - |
Detection Pending Activation - deprecated | MTD detection is pending activation. | Low | Yes | Yes | Yes | - | DETECTION_PENDING_ACTIVATION, 1006 | Automatic | Device | host.detection_pending_activation | - |
Developer Options (SDK) | Developer Options is an advanced configuration option intended for development purposes only. When enabled, the user has the option to change advanced settings, compromising the integrity of the device settings. | Low | Yes | Yes | Yes | - | DEVELOPER_OPTIONS_ON, 47 | Automatic | Device | host.developer_options | Impact |
Device Admin Permission Required for Samsung Knox | Device admin permission is required by the app to enable Samsung Knox functionality to protect devices from mobile threats. | Elevated | Yes | - | - | - | DEVICE_ADMIN_PERMISSION_REQUIRED, 147 | Automatic | Device | DEVICE_ADMIN_PERMISSION_REQUIRED | - |
Device Compromised via iOS Malicious Profile (SDK) | The device was compromised by a sophisticated kill chain attack that started with a malicious iOS profile and ended leaving the device compromised. Type is composite. | Critical | - | Yes | - | - | DEVICE_COMPROMISED_VIA_IOS_MALICIOUS_PROFILE, 124 | Manual | Device | pattern.device_compromised_via_ios_malicious_profile | Initial Access, Execution, Persistence, Privilege Escalation, Credential Access, Collection, Exfiltration, Impact |
Device Compromised via Malicious App (SDK) | The device was compromised by a sophisticated kill chain attack that started with a malicious app and ended leaving the device compromised. Type is composite. | Critical | Yes | Yes | Yes | - | DEVICE_COMPROMISED_VIA_MALICIOUS_APP, 122 | Manual or Automatic | Device | pattern.device_compromised_via_malicious_app | Initial Access, Execution, Persistence, Privilege Escalation, Credential Access, Collection, Exfiltration, Impact |
Device Compromised via Network-Based Effects (SDK) | The device was compromised by a sophisticated kill chain attack that started at the network and ended leaving the device compromised. Type is composite. | Critical | Yes | Yes | Yes | - | DEVICE_COMPROMISED_VIA_NETWORK_BASED_ATTACKS, 121 | Manual | Network | pattern.device_compromised_via_network_based_attacks | Initial Access, Execution, Persistence, Privilege Escalation, Credential Access, Collection, Exfiltration, Impact, Network Effects |
Device Compromised via Phishing Attack | The device was compromised by a sophisticated kill chain attack that started with a phishing threat and ended leaving the device compromised. Type is composite. [f] | Critical | Yes | Yes | Yes | - | DEVICE_COMPROMISED_VIA_PHISHING_ATTACK, 123 | Manual | Network | pattern.device_compromised_via_phishing_attack | Initial Access, Execution, Persistence, Privilege Escalation, Credential Access, Impact, Network Effects |
Device Encryption (SDK) | Encryption is not set up on the device and is needed to protect the device's content. | Elevated | Yes | -- | - | - | ENCRYPTION_NOT_ENABLED, 49 | Automatic | Device | host.encryption | Impact |
Device Failed Basic Integrity Check (SDK) | The device may not meet Android compatibility requirements and may not be approved to run Google Play services. | Critical | Yes | - | - | - | PLAY_INTEGRITY_BASIC, 180 | Automatic | Device | PLAY_INTEGRITY_BASIC | - |
Device Failed Integrity Check (SDK) | The device may not meet Android compatibility requirements and may not be approved to run Google Play services. | Elevated | Yes | - | - | - | PLAY_INTEGRITY, 178 | Automatic | Device | PLAY_INTEGRITY | - |
Device Failed Strong Integrity Check (SDK) | The device may not pass system integrity checks or may not meet Android compatibility requirements. | Low | Yes | - | - | - | PLAY_INTEGRITY_STRONG, 179 | Automatic | Device | PLAY_INTEGRITY_STRONG | - |
Device Jailbroken / Rooted (SDK) | Jailbreaking and rooting are the processes of gaining unauthorized access or elevated privileges on a system. Jailbreaking and rooting can potentially open security holes that may not have been apparent or undermine the device's built-in security measures. | Critical | Yes | Yes | Yes | - | DEVICE_ROOTED, 39 | Automatic | Device | host.jailbroken | Execution, Persistence, Privilege Escalation |
Device Pin (SDK) | The device is not set up to use a PIN code or password to control access to the device. | Elevated | Yes | Yes | - | - | PASSCODE_NOT_ENABLED, 50 | Automatic | Device | host.pin | Impact |
DNS Change (SDK) - Deprecated | The DNS configuration changed on the mobile device. If the DNS change happened within your own network to an unknown DNS server, then it is likely a MITM attempt. Note: This threat is deprecated. [l] | Normal | Yes | - | Yes | - | DNS_CHANGE, 17 | Automatic | Network | host.config.dns | Initial Access, Network Effects |
Elevation of Privileges (EOP) (SDK) | A malicious process that results in the elevation of privileges on the mobile device allows an attacker to take full control of the device. | Elevated | Yes | Yes | - | - | RUNNING_AS_ROOT, 12 | Manual | Device | host.process.eop | Persistence, Privilege Escalation, Execution |
Enable Permissions for Zero-Touch Activation | When zero-touch activation is used, this threat will show that the user has not yet granted the necessary permissions for the application to fully function. | Elevated | Yes | Yes | - | - | ENABLE_PERMISSIONS, 192 | Automatic | Device | ENABLE_PERMISSIONS | - |
File Pushed to a Sensitive Directory via ADB (SDK) NoteThis threat requires the Google Delegated Security Log Permission from the MDM. | Android Debug Bridge (adb) is an advanced debugging tool typically used during development and troubleshooting sessions. During an active adb session, a file was uploaded to a sensitive directory on the device, which is not normal and considered risky if not under active development or troubleshooting an incident. | Elevated | Yes | - | - | - | FILE_PUSHED_ADB, 186 | Automatic | Device | FILE_PUSHED_ADB | Collection, Execution |
File System Changed (SDK) | A file system change occurred. Modifications made to files in the file system may sometimes lead to a malicious event. NoteThe different device manufacturers affect this threat event's behavior. | Elevated | Yes | Yes | Yes | - | FILES_SYSTEM_CHANGED, 23 | Manual | Device | host.process.filesystemchange | Persistence, Impact |
Filesystem Mount Points Changed (SDK) | Filesystem mounts are often changed as a part of regular device behavior, but this can also occur as a part of a device attack. This is viewed as normal/low risk on its own but impacted devices should continue to be monitored for threats. | Elevated | Yes | Yes | Yes | - | FILES_SYSTEM_CHANGED, 23 | Manual | Device | host.filesystem_mounts_pts_change | - |
Gateway Change (SDK) - Deprecated | Gateway configuration changes on the mobile device can be indicative of sending traffic to a non-intended destination. | Normal | Yes | - | - | - | GATEWAY_CHANGE, 16 | Automatic | Network | host.config.gateway | Initial Access, Network Effects |
Google Play Protect Disabled (SDK) | Google Play Protect has been disabled on this device. Google Play Protect helps protect the device from malicious apps and needs to be re-enabled. | Elevated | Yes | - | Yes | - | GOOGLE_PLAY_PROTECT_DISABLED, 84 | Automatic | Device | host.config.google_play_protect_disabled | Initial Access, Impact |
Hacking Tools (SDK) | A hacking tool is a program or utility designed to intentionally modify or work around the standard operation of a device, operating system, or application. While hacking tools have legitimate purposes, such as debugging, testing, and performance monitoring, they can also be exploited for malicious purposes, posing significant risks to the device and the data on the device. | Low | Yes | - | - | - | HACKING_TOOLS, 188 | Automatic | Device | HACKING_TOOLS | Defense Evasion |
High Risk Browser Extension | A Chrome extension is detected that has one or more privacy and/or security concerns that may put your personal and confidential information at risk. | Elevated | - | - | - | Yes | HIGH_RISK_BROWSER_EXTENSION, 1004 | Automatic | Malware | chromeos.extension.high_risk | Persistence, Credential Access, Discovery, Collection, Execution |
High Risk Fraudulent Device (SDK Only) | The detection engine has identified indicators suggesting the device performing this transaction may be compromised. These indicators include excessive remote control permissions granted to applications. This significantly increases the risk of unauthorized activity on the device. | Critical | - | - | - | - | HIGH_RISK_FRAUD_DEVICE, 195 | Automatic | Device | HIGH_RISK_FRAUD_DEVICE | Impact, Command and Control |
Inactive App | A certain amount of time has passed and the app has not communicated with the server. Notification email: [c] | Elevated | Yes | Yes | Yes | - | INACTIVE_APP, 100 | Automatic | Device | app.dormant | - |
Internal Network Access (SDK) - Deprecated | An app was detected connecting to private or internal servers. It is uncommon for public applications to connect to internal servers. Public applications connecting to internal servers is considered suspicious behavior and needs investigation immediately for the possible threat of malware installed on the device and the risk of data leakage. | Low | Yes | - | - | - | INTERNAL_NETWORK_ACCESS, 48 | Automatic | Network | network.internal_network_access | Discovery, Lateral Movement, Collection |
iOS Rapid Security Response Available (SDK) | An iOS Rapid Security Response is available to be installed on the device. The Rapid Security Response contains important security improvements and should be installed as soon as possible. | Critical | - | Yes | - | - | IOS_RSR, 164 | Automatic | Device | host.rsr.ios | Impact |
iOS Shortcut Detection Disabled (SDK) | The device is not configured to detect risky or malicious iOS shortcuts. This option must be enabled on the device. | Elevated | - | Yes | - | - | SHORTCUT_REQUIRED, 181 | Automatic | Device | SHORTCUT_REQUIRED | - |
iOS Shortcut Detection Outdated (SDK) | The Bitdefender shortcut installed on the device is out of date. Not having the latest version of the Zimperium shortcut will prevent the latest capabilities from being used. | Elevated | - | Yes | - | - | SHORTCUT_OUTDATED, 201 | Automatic | - | - | - |
The device is configured to connect and sync data and backups with an external device over WiFi. | Normal | - | Yes | - | - | WIFI_SYNC_ENABLED, 94 | Automatic | Device | host.itunes.wifi_sync_enabled | Impact | |
IP Scan (SDK) | A reconnaissance scan using the IP protocol is often an indicator of a malicious attacker searching for a device vulnerable to a network attack, such as MITM. | Normal | Yes | - | - | - | IP_SCAN, 2 | Automatic | Network | network.scan.ip | Initial Access, Discovery, Collection, Network Effects |
Link Verification Disabled - On-device VPN (SDK) | Link verification using the on-device VPN is disabled on the device. | Elevated | Yes | Yes | - | - | LINK_VERIFICATION_DISABLED, 143 | Automatic | Device | LINK_VERIFICATION_DISABLED | - |
Link Verification Disabled - Safari Extension | Link verification using the Safari browser extension is disabled on the device. | Elevated | - | - | - | - | SAFARI_EXTENSION_DISABLED, 151 | Automatic | Network | network.safari_extension_disabled | - |
Local Network Access Permission Required | Local network access is required by the app to enable the protection of devices from sophisticated Wi-Fi-based network attacks. | Elevated | - | Yes | - | - | LOCAL_NETWORK_PERMISSION_REQUIRED, 149 | Automatic | Network | LOCAL_NETWORK_PERMISSION_REQUIRED | - |
Location Permission Required: Android | Location permission is required by the app to protect devices from sophisticated network attacks. | Elevated | Yes | - | - | - | LOCATION_PERMISSION_REQUIRED_ANDROID, 145 | Automatic | Device | LOCATION_PERMISSION_REQUIRED_ANDROID | - |
Location Permission Required: iOS | Location permission is required by the app to include location information when reporting mobile threats. Location data provides real-time information on nearby Wi-Fi risks. | Elevated | - | Yes | - | - | LOCATION_PERMISSION_REQUIRED_IOS, 146 | Automatic | Device | LOCATION_PERMISSION_REQUIRED_IOS | - |
Lockdown mode is an iOS feature aimed at increasing the device's security. It is recommended that it be enabled. | Elevated | - | Yes | - | - | LOCKDOWN_DISABLED, 152 | Automatic | Device | LOCKDOWN_DISABLED | - | |
Malicious iOS Shortcut Found (SDK) | A potentially malicious iOS shortcut has been found to be installed on your device. iOS shortcuts might pose a significant security risk to your information. It is recommended to review the shortcut to determine whether or not it should be used. | Critical | - | Yes | - | - | SHORTCUT_SUSPICIOUS, 182 | Automatic | Device | SHORTCUT_SUSPICIOUS | - |
MITM (SDK) | A man-in-the-middle attack occurred where a malicious attacker can hijack traffic, steal credentials, and deliver malware to the device. | Elevated | - | Yes | - | - | TRACEROUTE_MITM, 68 | Automatic | Network | network.mitm | Collection, Exfiltration, Network Effects |
MITM - ARP (SDK) | Man-in-the-Middle attack using ARP table poisoning where a malicious attacker can hijack traffic and steal credentials or deliver malware to the device. | Elevated | Yes | - | - | - | ARP_MITM, 4 | Automatic | Network | network.mitm.arp | Collection, Exfiltration, Network Effects |
MITM - Fake SSL Certificate (SDK) | A man-in-the-middle attack using a fake certificate occurred, and this is when a malicious attacker can hijack traffic, steal credentials, and deliver malware to the device. | Elevated | Yes | Yes | Yes | - | SSL_MITM, 35 | Automatic | Network | network.mitm.ssl_certificate | Collection, Exfiltration, Network Effects |
MITM - Fake SSL Certificate - Self Signed (SDK) | A man-in-the-middle attack occurred using a fake self-signed certificate. This is when a malicious attacker can hijack traffic, steal credentials, and deliver malware to the device. | Elevated | Yes | Yes | - | - | SSL_MITM_SELF_SIGNED, 138 | Automatic | Network | network.mitm.ssl_certificate_self_signed | Collection, Exfiltration, Network Effects |
MITM - ICMP Redirect (SDK) - Deprecated | A man-in-the-middle attack using ICMP protocol is when a malicious attacker can hijack traffic, steal credentials, and deliver malware to the device. Note: This threat is deprecated. | Elevated | Yes | - | - | - | ICMP_REDIR_MITM, 11 | Automatic | Network | network.mitm.icmp | Collection, Exfiltration, Network Effects |
MITM - SSL Strip (SDK) | A man-in-the-middle attack using SSL stripping allows a malicious attacker to change HTTPS traffic to HTTP, so they can hijack traffic, steal credentials, and deliver malware to the device. | Critical | Yes | Yes | Yes | - | SSL_STRIP, 14 | Automatic | Network | network.mitm.ssl_strip | Collection, Exfiltration, Network Effects |
MTD Is Not Activated on Both Work and Personal Profiles - Android Enterprise | The Mobile Threat Defense (MTD) application is not activated on both the personal and work profiles on this device. Install and activate the MTD app in both locations to ensure full device protection. | Elevated | Yes | - | - | - | ZIPS_NOT_RUNNING_ON_CONTAINER, 78 | Automatic | Device | host.afw_both_profiles_not_activated | - |
Network Anomaly with a Country Connection - Android | A country connection anomaly is detected, and we recommend uninstalling the app if this is not a regular app communication pattern. | Normal | Yes | - | - | - | COUNTRY_CONNECTION_ANOMALY_ANDROID, 213 | Automatic | Network | COUNTRY_CONNECTION_ANOMALY_ANDROID | - |
Network Anomaly with a Country Connection - iOS | A country connection anomaly is detected with potential risks. Running a Deep Scan is recommended to reduce device risks. | Normal | - | Yes | - | - | COUNTRY_CONNECTION_ANOMALY_IOS, 212 | Automatic | Network | COUNTRY_CONNECTION_ANOMALY_IOS | - |
Network Anomaly with a Traffic Peak - Android | A network traffic anomaly is detected, and we recommend uninstalling the app if this is not a regular app communication pattern. | Normal | Yes | - | - | - | NETWORK_TRAFFIC_ANOMALY_ANDROID, 211 | Automatic | Network | NETWORK_TRAFFIC_ANOMALY_ANDROID | - |
Network Anomaly with a Traffic Peak - iOS | A network traffic anomaly is detected with potential risks. Running a Deep Scan is recommended to reduce device risks. | Normal | - | Yes | - | - | NETWORK_TRAFFIC_ANOMALY_IOS, 210 | Automatic | Network | NETWORK_TRAFFIC_ANOMALY_IOS | - |
Network Handoff (SDK) - Deprecated | A network handoff occurred and can allow a device to alter routing on a network, potentially allowing for a man-in-the-middle attack. | Yes | - | - | - | - | NETWORK_HANDOFF, 36 | Automatic | Network | network.arp.handoff | Initial Access, Network Effects, Exfiltration |
Notification Permission Required | Notification permission is required by the app for users to receive on-device alerts about mobile security. | Elevated | Yes | Yes | - | - | NOTIFICATION_PERMISSION_REQUIRED, 150 | Automatic | Device | NOTIFICATION_PERMISSION_REQUIRED | - |
OS Not Compliant - Android (SDK) | The Android version is not compliant with the assigned OS compliance policy. The device has an Android upgrade available. | Elevated | Yes | - | - | - | ANDROID_OOC_UPGRADABLE, 161 | Automatic | Device | host.ooc.android.upgradable | Impact |
OS Not Compliant - iOS (SDK) | The iOS version is not compliant with the assigned OS compliance policy. The device has an iOS upgrade available. | Elevated | Yes | - | - | - | IOS_OOC_UPGRADABLE, 160 | Automatic | Device | host.ooc.ios.upgradable | Impact |
OS Not Compliant and Not Upgradable - Android (SDK) | The Android version is not compliant with the assigned OS compliance policy. The device does not have an Android upgrade available. | Elevated | Yes | - | - | - | ANDROID_OOC_NONUPGRADABLE, 163 | Automatic | Device | host.ooc.android.nonupgradable | Impact |
OS Not Compliant and Not Upgradable - iOS (SDK) | The iOS version is not compliant with the assigned OS compliance policy. The device does not have an iOS upgrade available. | Elevated | - | Yes | - | - | IOS_OOC_NONUPGRADABLE, 162 | Automatic | Device | host.ooc.ios.nonupgradable | Impact |
OS Upgrade Available - Android (SDK) | The Android version installed on the device is not up-to-date. New Android versions usually include security fixes. | Elevated | Yes | - | - | - | ANDROID_OUTDATED, 159 | Automatic | Device | host.outdated.android | Impact |
OS Upgrade Available - iOS (SDK) | The iOS version installed on the device is not up-to-date. New iOS versions usually include security fixes. | Elevated | Yes | - | - | - | IOS_OUTDATED, 158 | Automatic | Device | host.outdated.ios | Impact |
Out of Compliance App (SDK) | One or more apps are found on the device that are marked as Out-of- Compliance apps. | Elevated | Yes | Yes | Yes | OUT_OF_COMPLIANCE_APP, 93 | Automatic | Malware | host.app_out_of_compliance | Exfiltration, Collection, Impact | |
Out of Compliance Browser Extension | A Chrome extension is detected that is marked out of compliance with your organization's policies. It is recommended that you remove it from your Chrome browser. | Elevated | - | - | - | Yes | OOC_BROWSER_EXTENSION, 1003 | Automatic | App | chromeos.extension.ooc | Persistence, Credential Access, Discovery, Collection, Execution |
Over-The-Air (OTA) Updates Disabled (SDK) | Over-the-air (OTA) updates have been disabled on this device. OTA updates help keep a device's software up to date and more secure. | Low | Yes | - | Yes | - | OVER_THE_AIR_UPDATES_DISABLED, 86 | Automatic | Device | host.ota_updates_disabled | Impact |
Phishing PDF File (SDK) NoteThis threat was renamed from "PDF - Phishing Document" to "Phishing PDF File". | A potentially malicious URL was detected within the PDF file. | Elevated | Yes | - | - | - | PHISHING_PDF_DOCUMENT, 184 | Automatic | Device | PHISHING_PDF_DOCUMENT | Initial Access, Persistence, Credential Access, Impact, Collection, Exfiltration, Execution |
Phishing Protection - Link Tapped | A potentially malicious website address (URL) link was tapped on the device. | Elevated | Yes | Yes | Yes | Yes | MALICIOUS_WEBSITE, 9 | Automatic | Device | host.site-insight.link-tapped | Initial Access, Credential Access, Network Effects |
Phishing Protection - Link Visited | A user tapped a potentially malicious URL on the device. The user was warned of potential danger with the linked site and chose to continue to the website after the warning. | Elevated | Yes | Yes | Yes | Yes | MALICIOUS_WEBSITE_OPENED, 72 | Automatic | Device | host.site-insight.link-visited | Initial Access, Credential Access, Network Effects, Execution, Privilege Escalation |
Proxy Change (SDK) NoteThis threat reports the change in the proxy configuration to the console, and it requires an administrator to manually mitigate it. | Proxy configuration changes on the mobile device can be indicative of sending traffic to a non-intended destination. | Low | Yes | - | - | - | PROXY_CHANGE, 15 | Manual | Network | host.config.proxy | Initial Access, Network Effects, Exfiltration |
Protected App Sideloaded (SDK) | The protected app is using an untrusted installation method, such as an unofficial app store. There's a risk that the app has been tampered and could contain malicious code or behave unexpectedly. | Elevated | Yes | Yes | - | - | 197, PROTECTED_APP_SIDELOADED | Manual | Malware | PROTECTED_APP_SIDELOADED | Initial Access, Persistence, Collection, Exfiltration |
Restart Device Reminder (SDK) NoteThe timing for this threat reminder is 7 days. | Reminder to periodically restart the device. Periodically restarting the device helps with optimal performance and is a recommended security best practice. | Low | Yes | Yes | - | - | RESTART_DEVICE_REMINDER, 193 | Automatic | Device | RESTART_DEVICE_REMINDER | Persistence |
Risky iOS Shortcut Found (SDK) | A potentially risky iOS shortcut has been found to be installed on your device. iOS shortcuts might pose a significant security risk to your information. It is recommended to review the shortcut to determine whether or not it should be used. | - | Yes | - | - | - | SHORTCUT_RISKY, 183 | Automatic | Device | SHORTCUT_RISKY | - |
Risky Site Blocked | A potentially malicious website address (URL) link was blocked on the device. [j] | Elevated | Yes | Yes | Yes | Yes | MAL_WEBSITE_BLOCKED, 137 | Automatic | Device | content_filter.malsite_blocked | Initial Access |
Risky Site - Link Tapped | A potentially malicious website address (URL) link was tapped on the device. [j] | Elevated | Yes | Yes | Yes | Yes | MAL_WEBSITE_TAPPED, 135 | Automatic | Device | content_filter.malsite_tapped | Initial Access |
Risky Site - Link Visited | A user tapped a potentially malicious link on the device. The user was warned of potential danger with the linked site and chose to continue to the website after the warning. [j] | Critical | Yes | Yes | Yes | Yes | MAL_WEBSITE_VISITED, 136 | Automatic | Device | content_filter.malsite_visited | Initial Access |
Rogue Access Point (SDK) | Rogue access points exploit a device vulnerability to connect to a previously known Wi-Fi network by masking preferred and known networks. | Critical | Yes | Yes | Yes | - | ROGUE_ACCESS_POINT, 38 | Automatic | Network | network.mitm.rogue_ap | Network Effects, Initial Access, Credential Access |
Rogue access points exploit device vulnerability to connect to a previously known Wi- Fi network by masking preferred and known networks. | Elevated | Yes | - | Yes | - | ROGUE_ACCESS_POINT_NEARBY, 65 | Automatic | Network | network.mitm.rogue_ap_nearby | Initial Access, Network Effects | |
Screen Capture Detected (SDK Only) | Screen capture on mobile devices risks exposing sensitive information, as screenshots can easily be shared, synced to cloud services, or accessed if the device is compromised. Malware can exploit screen captures to steal data from secure apps, potentially leading to compliance violations in regulated industries. | Elevated | - | - | - | - | SCREEN_CAPTURE, 214 | Automatic | Device | SCREEN_CAPTURE | Collection |
Screen Sharing Active (SDK Only) | Screen sharing is a potential security risk. Sensitive information might be leaking from app screens. Malware may use this to gain remote control over the victim’s devices. | Elevated | - | - | - | - | SCREENSHARE_ACTIVE, 176 | Device | SCREENSHARE_ACTIVE | - | |
Screen Sharing Suspected (SDK Only) | Screen sharing is a potential security risk. Sensitive information might be leaking from app screens. Many malware may use this to gain remote control over the victim's devices. | Elevated | - | - | - | - | SCREENSHARE_SUSPECTED, 191 | Automatic | Device | SCREENSHARE_SUSPECTED | - |
SELinux Disabled (SDK) | Security-enhanced Linux (SELinux) is a security feature in the operating system that helps maintain the operating system's integrity. If SELinux has been disabled, the operating system's integrity may be compromised and should be investigated immediately. | Critical | Yes | - | - | - | SELINUX_DISABLED, 61 | Automatic | Device | host.selinux.disabled | - |
Sensitive File Downloaded from the Device via ADB (SDK) NoteThis threat requires the Google Delegated Security Log Permission from the MDM. | Android Debug Bridge (adb) is an advanced debugging tool typically used during development and troubleshooting sessions. During an active adb session, a sensitive file was downloaded from the device, exposing a potential risk of data loss of sensitive information of the device or user. | Elevated | Yes | - | - | - | FILE_EXTRACTED_ADB, 185 |
| Device | FILE_EXTRACTED_ADB | Collection, Execution |
Sideloaded App from High Risk App Store (SDK) | A side-loaded app signed with a deny-listed certificate was detected. These certificates can be used to sign malicious apps on third-party app stores. | Critical | - | Yes | - | - | BLACKLISTED_CERTIFICATE, 155 | Automatic | Device | BLACKLISTED_CERTIFICATE | - |
Sideloaded App(s) (SDK) NoteThis threat is not supported for iOS Release 17.5.1 or later. | Sideloaded apps are installed independently of an official app store and can present a security risk. | Elevated | Yers | Yes | Yes | - | SIDELOADED_APP, 76 | Automatic | Malware | host.sideloaded_app | Initial Access, Collection, Exfiltration, Persistence |
Sideloaded Browser Extension | A sideloaded extension is detected, which was not installed from an official web store. These extensions and their developers may not be verified and can present a security risk. | Elevated | - | - | - | Yes | SIDELOADED_BROWSER_EXTENSION, 1005 | Automatic | App | chromeos.extension.sideloaded | Persistence, Credential Access, Discovery, Collection, Execution |
Sideloaded Risky Malware (SDK Only) | A known malicious app attempts to control the device in some manner, such as elevation of privileges or spyware. This malware that has been installed through non-official stores. | Critical | - | - | - | - | SIDELOADED_RISKY_MALWARE, 170 | Automatic | Malware | host.app.malicious.risky | Initial Access, Persistence, Credential Access, Impact, Collection, Exfiltration, Execution |
SIM Change (SDK) | The SIM (subscriber identity module) card that uniquely identifies the device or the state of the SIM (e.g. Deactivated) has changed. Sensitive information about the device and of the user is stored on the SIM. Altering the SIM without knowledge or consent is a potential risk and should be investigated. | Normal | Yes | - | - | - | SIM_CHANGE, 168 | Automatic | Device | SIM_CHANGE | Initial Access |
Site Blocked | A user tapped on website content not approved by your organization and the site was blocked. [j] | Elevated | Yes | Yes | Yes | Yes | WEBSITE_BLOCKED, 134 | Automatic | Device | content_filter.blocked | Initial Access |
Site Warning - Link Tapped | Website content not approved by your organization was tapped on the device. [j] | Elevated | Yes | Yes | Yes | Yes | WEBSITE_TAPPED, 132 | Automatic | Device | content_filter.website_tapped | Initial Access |
Site Warning - Link Visited | A user tapped on website content not approved by your organization. The user was warned the website content does not comply with your organization's policies and chose to continue to the website after the warning. [j] | Elevated | Yes | Yes | Yes | Yes | WEBSITE_VISITED, 133 | Automatic | Device | content_filter.website_visited | Initial Access |
SSL/TLS Downgrade (SDK) - Deprecated | SSL/TLS downgrades force apps to use old encryption protocols. These protocols may be vulnerable to attacks that allow third parties to view encrypted information. Note: This threat is deprecated. | Low | Yes | Yes | - | - | TLS_DOWNGRADE, 77 | Automatic | Network | network.ssl_tls_downgrade | Impact, Network Effects |
Stagefright Vulnerability (SDK) - Deprecated | Stagefright vulnerability indicates the device is on an OS patch version susceptible to compromise. | Elevated | Yes | - | Yes | - | STAGEFRIGHT_VULNERABLE, 40 | Automatic | Device | host.mediaserver.sf_vulnerability | Impact |
Storage Permission Required | The storage permission is required by the app to scan the device's local storage to identify risky or malicious apps that may steal personal or sensitive information. | Elevated | Yes | - | - | - | STORAGE_PERMISSION_REQUIRED, 142 | Automatic | Device | STORAGE_PERMISSION_REQUIRED | - |
Suspected Sideloaded iOS App (SDK) | An iOS app that is suspected to have not come from a formal or approved Apple app store has been detected on the device. User must run Deep Scan to confirm the sideloaded application. | Elevated | - | Yes | - | - | SUSPECTED_SIDELOADED_APP, 205 | Automatic | Malware | SUSPECTED_SIDELOADED_APP | - |
Suspicious Android App (SDK) | A known malicious app attempts to control the device in some manner, such as elevation of privileges or spyware. | Critical | Yes | - | - | - | APK_SUSPECTED, 13 | Automatic | Malware | host.app.malicious | Initial Access, Persistence, Exfiltration, Impact, Credential Access, Execution, Collection |
2.7.127 Suspicious APK File (SDK) | There is harmful code or behavior within the APK file, indicating a potential threat has been detected. | Elevated | Yes | - | - | - | MALICIOUS_APK_FILE, 206 | Automatic | Malware | MALICIOUS_APK_FILE | Initial Access, Persistence, Impact, Collection, Exfiltration, Execution |
Suspicious Browser Extension | An unsafe extension is detected. It is strongly recommended that you remove the extension immediately. | Critical | - | - | - | Yes | SUSPICIOUS_BROWSER_EXTENSION, 1002 | Automatic | App | chromeos.extension.suspicious | Persistence, Credential Access, Discovery, Collection, Execution |
Suspicious iOS App | A known malicious app is detected and can attempt to take control of the device in some manner, such as elevation of privileges or spyware. | Critical | - | Yes | - | - | SUSPICIOUS_IPA, 42 | Automatic | App | host.ipa.malicious | Initial Access, Persistence, Exfiltration, Impact, Credential Access, Execution, Collection |
Suspicious PDF File (SDK) | There is harmful code or behavior within the PDF file, indicating a potential threat has been detected. | Elevated | Yes | - | - | - | MALICIOUS_PDF_DOCUMENT, 174 | Automatic | Device | Malicious PDF document | Initial Access, Persistence, Credential Access, Impact, Collection, Exfiltration, Execution |
Suspicious Profile | A suspicious profile is a new profile introduced into the environment and is not explicitly trusted or untrusted. An administrator must review the profile and mark the profile as trusted or untrusted. | Elevated | - | Yes | - | - | SUSPICIOUS_PROFILE, 45 | Automatic | Device | host.profile.suspicious | Initial Access, Persistence, Exfiltration, Impact, Credential Access, Execution, Collection |
System Tampering (SDK) | System tampering is a process of removing security limitations that are in place by the device manufacturer, and it indicates that the device is fully compromised and can no longer be trusted. | Critical | Yes | Yes | Yes | - | SYSTEM_TAMPERING, 37 | Manual | Device | host.systemconfig.system_tampering | Execution, Privilege Escalation, Impact |
Untrusted Profile | An untrusted profile is a profile installed on one or more devices and is unsafe on your devices. An untrusted profile installed on devices can be used to control devices remotely, monitor and manipulate user activities, and hijack users' traffic. | Critical | - | Yes | - | - | UNTRUSTED_PROFILE, 24 | Automatic | Device | host.profile.untrusted | Initial Access, Persistence, Exfiltration, Impact, Credential Access, Execution, Collection |
Tag Tracker Detected (SDK) | A tag tracker is detected. This tag could be tracking the user's location. If this tag is not known to the user, it should be disabled. | Elevated | Yes | - | - | - | TAG_TRACKER_DETECTED, 141 | Automatic | Device | TAG_TRACKER_DETECTED | - |
TestFlight App Installed | TestFlight is installed. TestFlight is a service provided by Apple that allows developers to distribute and test their applications with a group of testers before releasing them to the public. TestFlight is widely used by developers to ensure apps are stable and refined before public release. | Normal | - | Yes | - | - | TESTFLIGHT_INSTALLED, 209 | Automatic | Malware | TESTFLIGHT_INSTALLED | - |
TCP Scan (SDK) | A reconnaissance scan using the TCP protocol is often an indicator of a malicious attacker searching for a device vulnerable to a network attack, such as MITM. | Normal | Yes | - | - | - | TCP_SCAN, 0 | Automatic | Network | network.scan.tcp | Initial Access, Discovery, Collection, Network Effects |
UDP Scan (SDK) - Deprecated | A reconnaissance scan using the UDP protocol is often an indicator of a malicious attacker searching for a device vulnerable to a network attack, such as MITM. | Normal | Yes | - | - | - | UDP_SCAN, 1 | Automatic | Network | network.scan.udp | Initial Access, Discovery, Collection, Network Effects |
Unknown Sources Enabled (SDK) | App downloads from locations other than the Google Play store are enabled. | Elevated | Yes | - | Yes | - | UNKNOWN_SOURCES_ON, 25 | Automatic | Device | host.config.unknown_sources | Impact, Initial Access |
Unlocked Bootloader (SDK) | The device's bootloader is unlocked. The device bootloader is a system-level tool that manages the device's boot process and helps maintain the integrity of the device. Unlocking the bootloader can compromise the integrity of the device by permitting special system-level access to install non-standard software and applications, elevating the risk of the device and the data on the device. | Elevated | Yes | - | - | - | BOOTLOADER_UNLOCKED, 165 | Automatic | Device | BOOTLOADER_UNLOCKED | Initial Access, Persistence, Privilege Escalation, Defense Evasion, Execution |
Unscanned Files (SDK) NoteThis threat was renamed from "PDF - Unscanned Files" to "Unscanned Files." | Unscanned files pose potential risks. Immediate resume scan is advised. | Elevated | Yes | Yes | - | - | UNSCANNED_PDF_FILES, 189 | Automatic | Device | UNSCANNED_PDF_FILES | |
Unsecured Wi-Fi Network (SDK) | A connection to an unsecured Wi-Fi network is detected, and these networks are not protected by encryption or authentication protocols and are open to attackers. | Low | Yes | Yes | - | - | UNSECURED_WIFI_NETWORK, 66 | Automatic | Network | network.unsecured_wifi | Initial Access, Network Effects, Exfiltration, Collection |
Untrusted Profile | An untrusted profile is a profile installed on one or more devices and is unsafe on your devices. An untrusted profile installed on devices can be used to control devices remotely, monitor and manipulate user activities, and hijack users' traffic. | Critical | - | Yes | - | - | UNTRUSTED_PROFILE, 24 | Automatic | Device | host.profile.untrusted | Initial Access, Persistence, Exfiltration, Impact, Credential Access, Execution, Collection |
USB Debugging Mode (SDK) | USB debugging is an advanced configuration option intended for development purposes only. By enabling USB debugging, your device can accept commands from a computer when plugged into a USB connection. | Elevated | Yes | - | - | - | USB_DEBUGGING_ON, 44 | Automatic | Device | host.usb.debugging | Impact, Initial Access |
VPN Connection Active (SDK) | VPN Connection is active. VPN can be used to manipulate the device location and can be potentially a red flag used by fraudsters to mask their location during illegal transactions. | Low | Yes | Yes | - | - | VPN_ACTIVE, 204 | Automatic | Network | VPN_ACTIVE | Lateral Movement, Command and Control |
VPN Permission Required - Secure Web | The VPN permission is required to keep devices safe from risky websites. | Elevated | Yes | Yes | - | - | VPN_PERMISSION_REQUIRED_SECURE_WEB, 153 | Automatic | Device | VPN_PERMISSION_REQUIRED_SECURE_WEB | - |
VPN Permission Required - Secure Wi-Fi | VPN permission is required by the app to protect network data in the event of a malicious network attack. | Elevated | Yes | Yes | - | - | VPN_PERMISSION_REQUIRED_SECURE_WIFI, 154 | Automatic | Network | VPN_PERMISSION_REQUIRED_SECURE_WIFI | - |
Vulnerable Android Version (SDK) | The Android version installed on the device has one or more critical vulnerabilities and is not up-to-date. The outdated operating system exposes the device to known vulnerabilities and the threat of being exploited by malicious actors. The Android version should be updated immediately. | Elevated | Yes | - | Yes | - | ANDROID_NOT_UPDATED, 51 | Automatic | Device | host.vulnerable.android | Impact |
Vulnerable iOS Version (SDK) | The iOS version installed on the device has one or more critical vulnerabilities and is not up-to-date. The outdated operating system exposes the device to known vulnerabilities and the threat of being exploited by malicious actors. The iOS version should be updated immediately. | Elevated | - | Yes | - | - | IOS_NOT_UPDATED, 52 | Automatic | Device | host.vulnerable.ios | Impact |
Vulnerable, Non-Upgradable Android Version (SDK) | The device is running a vulnerable Android version. However, the device is not eligible for an operating system upgrade at this time. | Low | Yes | - | Yes | - | VULNERABLE_NON_UPGRADEABLE_ANDROID_VERSION, 89 | Automatic | Device | android_not_updated_unupgradable | Impact |
Vulnerable, Non-Upgradable iOS Version (SDK) | The device is running a vulnerable iOS version. However, the device is not eligible for an operating system upgrade at this time. | Low | - | Yes | - | - | VULNERABLE_NON_UPGRADEABLE_IOS_VERSION, 88 | Automatic | Device | host.vulnerable.ios.non-upgradeable | Impact |
Risky events in the Insights Dashboard
The events categorized as risky events in the Insights dashboard display are:
Note
A mobile threat defense platform can detect "risky events" such as malicious apps, network anomalies, device vulnerability exploitation, jailbreaking/rooting, phishing attacks, device compromise indicators, and unusual device activities.
These events can include malicious app installation, network anomalies, device vulnerability exploitation, jailbreaking/rooting attempts, phishing attacks, device compromise indicators, and abnormal device activities. These alerts help protect against potential security threats.
Android Debug Bridge (ADB) Apps Not Verified
Android Device - Compatibility Not Test By Google
BlueBorne Vulnerability
Daemon Anomaly
Developer Options
Device Encryption
Device Pin
Google Play Protect Disabled
MITM - Fake SSL certificate
Rogue Access Point: Nearby
Sideloaded App(s)
Site Insight - Link Tapped
Stagefright Vulnerability
Suspicious Profile
Unknown Sources Enabled
USB Debugging Mode
Mobile security app is not activated on both work and personal profiles - Android for Work
Key features
The key features section shows a summary of the enabled or disabled status values for key features of the solution. These features show status for:
MDM Integration - Enables the synchronization of devices, defines group usage in policy and configuration items, and provides granular protection mechanisms. This feature is enabled if there is at least one MDM integration set up in Mobile Security Console.
SIEM Integration - Provides a secure method for pulling security events from the mobile security console. This is enabled if there is at least one SIEM integration setup in the Manage > Integrations > Data Export section of Mobile Security Console or with the Syslog pull integration.
Advanced App Analysis - Assesses mobile app risk among company devices, enabling intelligent identification of safe and risky apps, and setting security policies to mitigate risk. This is enabled by default for the enterprise under normal circumstances.
Phishing Detection - Enables administrators to warn and protect users from accessing harmful websites and links that may pose a danger. This is enabled in the key features of URL sharing or VPN-based phishing is enabled for at least one group within Mobile Security Console.
App Policy - Enables the application vetting capability. This feature is enabled if at least one app policy has been created under the Policy page.