T1437 Application Layer Protocol
Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the mobile device, and often the results of those commands, will be embedded within the protocol traffic between the mobile device and server.
Adversaries may utilize many different protocols, including those used for web browsing, transferring files, electronic mail, or DNS.
| Item | Value |
|---|---|
| ID | T1437 |
| Sub-techniques | T1437.001 |
| Tactics | TA0037 |
| Platforms | Android, iOS |
| Version | 1.2 |
| Created | 25 October 2017 |
| Last Modified | 19 April 2022 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| S0550 | DoubleAgent | DoubleAgent has used both FTP and TCP sockets for data exfiltration.2 |
| S1054 | Drinik | Drinik has code to use Firebase Cloud Messaging for receiving C2 instructions.1 |
References
-
Cyble. (2022, October 27). Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers. Retrieved January 18, 2023. ↩
-
A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020. ↩