Skip to content

T1437.001 Web Protocols

Adversaries may communicate using application layer protocols associated with web protocols traffic to avoid detection/network filtering by blending in with existing traffic. Commands to remote mobile devices, and often the results of those commands, will be embedded within the protocol traffic between the mobile client and server.

Web protocols such as HTTP and HTTPS are used for web traffic as well as well as notification services native to mobile messaging services such as Google Cloud Messaging (GCM) and newly, Firebase Cloud Messaging (FCM), (GCM/FCM: two-way communication) and Apple Push Notification Service (APNS; one-way server-to-device). Such notification services leverage HTTP/S via the respective API and are commonly abused on Android and iOS respectively in order blend in with routine device traffic making it difficult for enterprises to inspect.

Item Value
ID T1437.001
Sub-techniques T1437.001
Tactics TA0037
Platforms Android, iOS
Version 1.0
Created 01 April 2022
Last Modified 24 October 2025

Procedure Examples

ID Name Description
S1061 AbstractEmu AbstractEmu can use HTTP to communicate with the C2 server.23
S1095 AhRat AhRat can communicate with the C2 using HTTPS requests.8
S0525 Android/AdDisplay.Ashas Android/AdDisplay.Ashas has communicated with the C2 server using HTTP.22
S0304 Android/Chuli.A Android/Chuli.A used HTTP uploads to a URL as a command and control mechanism.18
S0540 Asacub Asacub has communicated with the C2 using HTTP POST requests.27
S1079 BOULDSPY BOULDSPY uses unencrypted HTTP traffic between the victim and C2 infrastructure.26
S1094 BRATA BRATA can use both HTTP and WebSockets to communicate with the C2 server.33
S0432 Bread Bread communicates with the C2 server using HTTP requests.32
C0033 C0033 During C0033, PROMETHIUM used StrongPity to communicate with the C2 server using HTTPS.48
S0480 Cerberus Cerberus communicates with the C2 server using HTTP.29
S1083 Chameleon Chameleon has used HTTP to communicate with the C2 server.13
S0555 CHEMISTGAMES CHEMISTGAMES has used HTTPS for C2 communication.9
S1225 CherryBlos CherryBlos has communicated with the C2 server using HTTPS.44
S0426 Concipit1248 Concipit1248 communicates with the C2 server using HTTP requests.24
S0425 Corona Updates Corona Updates communicates with the C2 server using HTTP requests.24
G0070 Dark Caracal Dark Caracal controls implants using standard HTTP communication.47
S0479 DEFENSOR ID DEFENSOR ID has used Firebase Cloud Messaging for C2.35
S0478 EventBot EventBot communicates with the C2 using HTTP requests.6
S0522 Exobot Exobot has used HTTPS for C2 communication.30
S0405 Exodus Exodus One checks in with the command and control server using HTTP POST requests.20
S0509 FakeSpy FakeSpy exfiltrates data using HTTP requests.46
S1067 FluBot FluBot can use HTTP POST requests on port 80 for communicating with its C2 server.31
S1093 FlyTrap FlyTrap can use HTTP to communicate with the C2 server.2
S1231 GodFather GodFather has leveraged WebSockets for C2.15
S0535 Golden Cup Golden Cup has communicated with the C2 using MQTT and HTTP.16
S0551 GoldenEagle GoldenEagle has used HTTP POST requests for C2.17
S0536 GPlayed GPlayed has communicated with the C2 using HTTP requests or WebSockets as a backup.1
S0406 Gustuff Gustuff communicates with the command and control server using HTTP requests.34
S1077 Hornbill Hornbill can use HTTP and HTTP POST to communicate information to the C2.19
S0463 INSOMNIA INSOMNIA communicates with the C2 server using HTTPS requests.38
S1185 LightSpy LightSpy has used both HTTPS and Websockets to communicate with the C2.453
S1241 RatMilad RatMilad has used HTTP POST requests for communicating with its C2 server.7
S0539 Red Alert 2.0 Red Alert 2.0 has communicated with the C2 using HTTP.39
S0326 RedDrop RedDrop uses HTTP requests for C2 communication.14
S0403 Riltok Riltok communicates with the command and control server using HTTP requests.12
S0411 Rotexy Rotexy can communicate with the command and control server using JSON payloads sent in HTTP POST request bodies. It can also communicate by using JSON messages sent through Google Cloud Messaging.28
S0313 RuMMS RuMMS uses HTTP for command and control.21
S1062 S.O.V.A. S.O.V.A. can use the open-source project RetroFit for C2 communication.43
S1055 SharkBot SharkBot can use HTTP to send C2 messages to infected devices.40
S0549 SilkBean SilkBean has used HTTPS for C2 communication.17
S0327 Skygofree Skygofree can be controlled via HTTP, XMPP, FirebaseCloudMessaging, or GoogleCloudMessaging in older versions.45
S1195 SpyC23 SpyC23 can communicate with the Command and Control server using HTTPS and Firebase Cloud Messaging (FCM).3736
S0427 TrickMo TrickMo communicates with the C2 by sending JSON objects over unencrypted HTTP requests.10
S0307 Trojan-SMS.AndroidOS.Agent.ao Trojan-SMS.AndroidOS.Agent.ao uses Google Cloud Messaging (GCM) for command and control.11
S0306 Trojan-SMS.AndroidOS.FakeInst.a Trojan-SMS.AndroidOS.FakeInst.a uses Google Cloud Messaging (GCM) for command and control.11
S0308 Trojan-SMS.AndroidOS.OpFake.a Trojan-SMS.AndroidOS.OpFake.a uses Google Cloud Messaging (GCM) for command and control.11
S0418 ViceLeaker ViceLeaker uses HTTP requests for C2 communication.4142
S0311 YiSpecter YiSpecter has connected to the C2 server via HTTP.25

References

  1. V. Ventura. (2018, October 11). GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020. 

  2. A. Yaswant. (2021, August 9). FlyTrap Android Malware Compromises Thousands of Facebook Accounts. Retrieved September 28, 2023. 

  3. Dmitry Bestuzhev. (2025, April 7). The Coordinated Kill Switch: LightSpy’s iOS Destructive Plugin Architecture Manages Device Disablement. Retrieved April 14, 2025. 

  4. ThreatFabric. (2023, October 2). LightSpy mAPT Mobile Payment System Attack. Retrieved January 17, 2025. 

  5. ThreatFabric. (2024, October 29). LightSpy: Implant for iOS. Retrieved January 30, 2025. 

  6. D. Frank, L. Rochberger, Y. Rimmer, A. Dahan. (2020, April 30). EventBot: A New Mobile Banking Trojan is Born. Retrieved June 26, 2020. 

  7. Gupta, N. (2022, October 5). We Smell A RatMilad Android Spyware. Retrieved August 27, 2025. 

  8. Lukas Stefanko. (2023, May 23). Android app breaking bad: From legitimate screen recording to file exfiltration within a year. Retrieved December 18, 2023. 

  9. B. Leonard, N. Mehta. (2019, November 21). The Secret Life of Sandworms. Retrieved December 31, 2020. 

  10. P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020. 

  11. Roman Unuchek and Victor Chebyshev. (2014, February 24). Mobile Malware Evolution: 2013. Retrieved December 22, 2016. 

  12. Tatyana Shishkova. (2019, June 25). Riltok mobile Trojan: A banker with global reach. Retrieved August 7, 2019. 

  13. Cyble Research & Intelligence Labs. (2023, April 13). Banking Trojan targeting mobile users in Australia and Poland. Retrieved August 16, 2023. 

  14. Nell Campbell. (2018, February 27). RedDrop: the blackmailing mobile malware family lurking in app stores. Retrieved November 17, 2024. 

  15. Ortega, F. Pratapagiri, V. (2025, June 18). Your Mobile App, Their Playground: The Dark Side of Virtualization. Retrieved July 16, 2025. 

  16. R. Iarchy, E. Rynkowski. (2018, July 5). GoldenCup: New Cyber Threat Targeting World Cup Fans. Retrieved October 29, 2020. 

  17. A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020. 

  18. Costin Raiu, Denis Maslennikov, Kurt Baumgartner. (2013, March 26). Android Trojan Found in Targeted Attack. Retrieved December 23, 2016. 

  19. Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023. 

  20. Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved November 17, 2024. 

  21. Wu Zhou, Deyu Hu, Jimmy Su, Yong Kang. (2016, April 26). RUMMS: THE LATEST FAMILY OF ANDROID MALWARE ATTACKING USERS IN RUSSIA VIA SMS PHISHING. Retrieved February 6, 2017. 

  22. L. Stefanko. (2019, October 24). Tracking down the developer of Android adware affecting millions of users. Retrieved October 29, 2020. 

  23. P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023. 

  24. T. Bao, J. Lu. (2020, April 14). Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020. 

  25. Claud Xiao. (2015, October 4). YiSpecter: First iOS Malware That Attacks Non-jailbroken Apple iOS Devices by Abusing Private APIs. Retrieved March 3, 2023. 

  26. Kyle Schmittle, Alemdar Islamoglu, Paul Shunk, Justin Albrecht. (2023, April 27). Lookout Discovers Android Spyware Tied to Iranian Police Targeting Minorities: BouldSpy. Retrieved July 21, 2023. 

  27. T. Shishkova. (2018, August 28). The rise of mobile banker Asacub. Retrieved December 14, 2020. 

  28. T. Shishkova, L. Pikman. (2018, November 22). The Rotexy mobile Trojan – banker and ransomware. Retrieved September 23, 2019. 

  29. A. Hazum, B. Melnykov, C. Efrati, D. Golubenko, I. Wernik, L. Kuperman, O. Mana. (2020, April 29). First seen in the wild – Malware uses Corporate MDM as attack vector. Retrieved June 26, 2020. 

  30. Threat Fabric. (2017, February). Exobot - Android banking Trojan on the rise. Retrieved October 29, 2020. 

  31. Crista Giering, F. Naves, Andrew Conway, Adam McNeil . (2021, April 27). FluBot Android Malware Spreading Rapidly Through Europe, May Hit U.S. Soon. Retrieved February 28, 2023. 

  32. A. Guertin, V. Kotov, Android Security & Privacy Team. (2020, January 9). PHA Family Highlights: Bread (and Friends) . Retrieved April 27, 2020. 

  33. Federico Valentini, Francesco Lubatti. (2022, January 24). How BRATA is monitoring your bank account. Retrieved December 18, 2023. 

  34. Vitor Ventura. (2019, April 9). Gustuff banking botnet targets Australia . Retrieved September 3, 2019. 

  35. L. Stefanko. (2020, May 22). Insidious Android malware gives up all malicious features but one to gain stealth. Retrieved June 26, 2020. 

  36. Kohli, P. (2021, November 23). Android APT spyware, targeting Middle East victims, enhances evasiveness. Retrieved November 17, 2024. 

  37. Stefanko, L. (2020, September 30). APT‑C‑23 group evolves its Android spyware. Retrieved March 4, 2024. 

  38. A. Case, D. Lassalle, M. Meltzer, S. Koessel, et al.. (2020, April 21). Evil Eye Threat Actor Resurfaces with iOS Exploit and Updated Implant. Retrieved June 2, 2020. 

  39. J. Chandraiah. (2018, July 23). Red Alert 2.0: Android Trojan targets security-seekers. Retrieved December 14, 2020. 

  40. RIFT: Research and Intelligence Fusion Team. (2022, March 3). SharkBot: a “new” generation Android banking Trojan being distributed on Google Play Store. Retrieved January 18, 2023. 

  41. GReAT. (2019, June 26). ViceLeaker Operation: mobile espionage targeting Middle East. Retrieved November 21, 2019. 

  42. L. Arsene, C. Ochinca. (2018, August 20). Triout – Spyware Framework for Android with Extensive Surveillance Capabilities. Retrieved January 21, 2020. 

  43. ThreatFabric. (2021, September 9). S.O.V.A. - A new Android Banking trojan with fowl intentions. Retrieved February 6, 2023. 

  44. Trend Micro Research. (2023, July 28). Related CherryBlos and FakeTrade Android Malware Involved in Scam Campaigns. Retrieved March 28, 2025. 

  45. Nikita Buchka and Alexey Firsh. (2018, January 16). Skygofree: Following in the footsteps of HackingTeam. Retrieved September 24, 2018. 

  46. O. Almkias. (2020, July 1). FakeSpy Masquerades as Postal Service Apps Around the World. Retrieved September 15, 2020. 

  47. Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018. 

  48. Stefanko, L. (2023, January 10). StrongPity espionage campaign targeting Android users. Retrieved January 31, 2023.