T1437 Application Layer Protocol
Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the mobile device, and often the results of those commands, will be embedded within the protocol traffic between the mobile device and server.
Adversaries may utilize many different protocols, including those used for web browsing, transferring files, electronic mail, or DNS.
| Item | Value |
|---|---|
| ID | T1437 |
| Sub-techniques | T1437.001 |
| Tactics | TA0037 |
| Platforms | Android, iOS |
| Version | 1.2 |
| Created | 25 October 2017 |
| Last Modified | 24 October 2025 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| S1083 | Chameleon | Chameleon has used a SOCKS proxy.1 |
| S1243 | DCHSpy | DCHSpy has uploaded collected data to a Secure File Transfer Protocol (SFTP) server.2 |
| S0550 | DoubleAgent | DoubleAgent has used both FTP and TCP sockets for data exfiltration.3 |
| S1054 | Drinik | Drinik has code to use Firebase Cloud Messaging for receiving C2 instructions.4 |
| C0054 | Operation Triangulation | During Operation Triangulation, the threat actors used HTTPS POST requests for C2 communication.5 |
References
-
ThreatFabric. (2023, December 21). Android Banking Trojan Chameleon can now bypass any Biometric Authentication. Retrieved July 7, 2025. ↩
-
Albrecht, J., Islamoglu, A. (2025, July 21). Lookout Discovers Iranian APT MuddyWater Leveraging DCHSpy During Israel-Iran Conflict . Retrieved September 19, 2025. ↩
-
A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020. ↩
-
Cyble. (2022, October 27). Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers. Retrieved November 17, 2024. ↩
-
Kucherin, G., et al. (2023, June 21). Dissecting TriangleDB, a Triangulation spyware implant. Retrieved April 18, 2024. ↩