The CEH Mobile Platform Security module explains that mobile antivirus solutions rely heavily on signatures and known exploit patterns. A custom exploit with obfuscation is far more likely to bypass detection.
CEH explicitly teaches that:
Zero-day or unpatched vulnerabilities
Custom, obfuscated payloads
Minimal use of known frameworks
are the most effective for bypassing endpoint defenses during controlled testing.
Option A is correct.
Options B and C are easily detected.
Option D is social engineering, not a technical exploit.

According to the CEH Cryptography module, strong symmetric encryption algorithms are essential for protecting data confidentiality and obscuring traffic content.
AES (Advanced Encryption Standard) is the industry-standard symmetric encryption algorithm approved by NIST and recommended by CEH for encrypting data in transit and at rest. AES provides strong resistance against cryptanalysis and prevents attackers from deriving meaningful information from encrypted traffic.
Option D is correct because AES is efficient, secure, and widely implemented.
Option A (HMAC) provides integrity and authentication, not encryption.
Option B (RSA) is computationally expensive and not suitable for bulk traffic encryption.
Option C (DES) is deprecated due to weak key length.
CEH materials clearly recommend AES over legacy algorithms.

TCP 139 and UDP 137 and 138 correspond to NetBIOS over TCP/IP services that are closely associated with Windows file and printer sharing and legacy SMB browsing. In CEH methodology, these ports are high-value enumeration targets because NetBIOS name service and datagram service can disclose hostnames, domain or workgroup names, logged-in users, and shared resource details, often before any strong authentication occurs.
UDP 137 is used for NetBIOS Name Service, which supports name registration and lookup. UDP 138 supports NetBIOS Datagram Service, commonly tied to browsing and announcement traffic. TCP 139 supports NetBIOS Session Service, historically used to establish sessions for SMB traffic and to query share and user-related information when configurations are weak.
In real environments, misconfigurations such as permissive share settings, legacy protocols, or anonymous and guest-access allowances can allow an attacker to enumerate user accounts, groups, and policies indirectly through browsing data, share lists, and RPC-related exposure that frequently accompanies SMB environments. CEH training emphasizes prioritizing enumeration against Windows networking services because the information gained can rapidly support follow-on attacks such as password spraying, targeted phishing, lateral movement, and privilege escalation planning.
The other choices include TCP 21 FTP, TCP 23 Telnet, and TCP 25 SMTP, which may expose banners or allow limited user enumeration in specific configurations, but they are not the primary ports associated with classic Windows user and group enumeration. UDP 133 is not a standard enumeration target in this context.
Therefore, TCP 139 with UDP 137 and 138 is the best priority set for username and group-related enumeration.

CEH v13 describes Agent Smith-style attacks as malicious Android operations where an app silently replaces legitimate applications by exploiting weaknesses in the Android app update and installation processes. These attacks often begin when users download seemingly innocent apps from untrusted third-party marketplaces.
Once installed, the malicious application injects harmful code into other apps, overwriting them while preserving their icons and interface, allowing the attacker to harvest credentials, display ads, or maintain persistence without detection. CEH explains that this technique takes advantage of Android's APK structure, sideloading vulnerabilities, and lack of signature validation in compromised environments. Simjacker (Option A) targets SIM toolkit vulnerabilities and does not replace apps. Man-in-the-Disk (Option B) abuses external storage operations but does not overwrite applications. Camfecting (Option D) refers to hijacking smartphone cameras. The described malicious replacement of legitimate apps exactly matches the Agent Smith attack pattern.

TCP NULL scanning is a stealth scanning technique covered in CEH v13 Reconnaissance and Network Scanning. In a NULL scan, all TCP flags are set to zero. According to RFC 793 and CEH documentation, closed ports must respond with a TCP RST (Reset) packet.
If the port is open, the target typically does not respond, making this technique useful for firewall evasion.
Therefore:
RST response = Closed port
No response = Open or filtered port
Other options do not apply to NULL scans:
SYN/ACK is associated with SYN scans.
ICMP errors may indicate filtering, not port state.