Skip to content

T1644 Out of Band Data

Adversaries may communicate with compromised devices using out of band data streams. This could be done for a variety of reasons, including evading network traffic monitoring, as a backup method of command and control, or for data exfiltration if the device is not connected to any Internet-providing networks (i.e. cellular or Wi-Fi). Several out of band data streams exist, such as SMS messages, NFC, and Bluetooth.

On Android, applications can read push notifications to capture content from SMS messages, or other out of band data streams. This requires that the user manually grant notification access to the application via the settings menu. However, the application could launch an Intent to take the user directly there.

On iOS, there is no way to programmatically read push notifications.

Item Value
ID T1644
Sub-techniques
Tactics TA0037
Platforms Android, iOS
Version 2.1
Created 06 April 2022
Last Modified 20 March 2023

Procedure Examples

ID Name Description
S0304 Android/Chuli.A Android/Chuli.A used SMS to receive command and control messages.15
S0655 BusyGasper BusyGasper can perform actions when one of two hardcoded magic SMS strings is received.13
S0529 CarbonSteal CarbonSteal has used specially crafted SMS messages to control the target device.7
S0505 Desert Scorpion Desert Scorpion can be controlled using SMS messages.12
S0406 Gustuff Gustuff can use SMS for command and control from a defined admin phone number.9
S0407 Monokle Monokle can be controlled via email and SMS from a set of “control phones.”5
S0316 Pegasus for Android Pegasus for Android uses SMS for command and control.6
S0289 Pegasus for iOS Pegasus for iOS uses SMS for command and control.10
S0295 RCSAndroid RCSAndroid can use SMS for command and control.14
S0411 Rotexy Rotexy can be controlled through SMS messages.2
S1055 SharkBot SharkBot can use the “Direct Reply” feature of Android to automatically reply to notifications with a message provided by C2.8
S0327 Skygofree Skygofree can be controlled via binary SMS.4
S0324 SpyDealer SpyDealer enables remote control of the victim through SMS channels.1
S0328 Stealth Mango Stealth Mango uses commands received from text messages for C2.11
S0427 TrickMo TrickMo can be controlled via encrypted SMS message.3

Mitigations

ID Mitigation Description
M1011 User Guidance Users should be instructed to not grant applications unexpected or unnecessary permissions.

Detection

ID Data Source Data Component
DS0042 User Interface System Notifications

References

  1. Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018. 

  2. T. Shishkova, L. Pikman. (2018, November 22). The Rotexy mobile Trojan – banker and ransomware. Retrieved September 23, 2019. 

  3. P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020. 

  4. Nikita Buchka and Alexey Firsh. (2018, January 16). Skygofree: Following in the footsteps of HackingTeam. Retrieved September 24, 2018. 

  5. Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019. 

  6. Mike Murray. (2017, April 3). Pegasus for Android: the other side of the story emerges. Retrieved April 16, 2017. 

  7. A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020. 

  8. RIFT: Research and Intelligence Fusion Team. (2022, March 3). SharkBot: a “new” generation Android banking Trojan being distributed on Google Play Store. Retrieved January 18, 2023. 

  9. Vitor Ventura. (2019, April 9). Gustuff banking botnet targets Australia . Retrieved September 3, 2019. 

  10. Lookout. (2016). Technical Analysis of Pegasus Spyware. Retrieved December 12, 2016. 

  11. Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018. 

  12. A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020. 

  13. Alexey Firsh. (2018, August 29). BusyGasper – the unfriendly spy. Retrieved October 1, 2021. 

  14. Veo Zhang. (2015, July 21). Hacking Team RCSAndroid Spying Tool Listens to Calls; Roots Devices to Get In. Retrieved December 22, 2016. 

  15. Costin Raiu, Denis Maslennikov, Kurt Baumgartner. (2013, March 26). Android Trojan Found in Targeted Attack. Retrieved December 23, 2016.