Skip to content

T1660 Phishing

Adversaries may send malicious content to users in order to gain access to their mobile devices. All forms of phishing are electronically delivered social engineering. Adversaries can conduct both non-targeted phishing, such as in mass malware spam campaigns, as well as more targeted phishing tailored for a specific individual, company, or industry, known as “spearphishing.” Phishing often involves social engineering techniques, such as posing as a trusted source, as well as evasion techniques, such as removing or manipulating emails or metadata/headers from compromised accounts being abused to send messages.

Mobile phishing may take various forms. For example, adversaries may send emails containing malicious attachments or links, typically to deliver and then execute malicious code on victim devices. Phishing may also be conducted via third-party services, like social media platforms. Adversaries may also impersonate executives of organizations to persuade victims into performing some action on their behalf. For example, adversaries will often use social engineering techniques in text messages to trick the victims into acting quickly, which leads to adversaries obtaining credentials and other information.

Mobile devices are a particularly attractive target for adversaries executing phishing campaigns. Due to their smaller form factor than traditional desktop endpoints, users may not be able to notice minor differences between genuine and phishing websites. Further, mobile devices have additional sensors and radios that allow adversaries to execute phishing attempts over several different vectors, such as:

  • SMS messages: Adversaries may send SMS messages (known as “smishing”) from compromised devices to potential targets to convince the target to, for example, install malware, navigate to a specific website, or enable certain insecure configurations on their device.
  • Quick Response (QR) Codes: Adversaries may use QR codes (known as “quishing”) to redirect users to a phishing website. For example, an adversary could replace a legitimate public QR Code with one that leads to a different destination, such as a phishing website. A malicious QR code could also be delivered via other means, such as SMS or email. In the latter case, an adversary could utilize a malicious QR code in an email to pivot from the user’s desktop computer to their mobile device.
  • Phone Calls: Adversaries may call victims (known as “vishing”) to persuade them to perform an action, such as providing login credentials or navigating to a malicious website. This could also be used as a technique to perform the initial access on a mobile device, but then pivot to a computer/other network by having the victim perform an action on a desktop computer.
Item Value
ID T1660
Sub-techniques
Tactics TA0027
Platforms Android, iOS
Version 1.1
Created 21 September 2023
Last Modified 20 August 2025

Procedure Examples

ID Name Description
G1028 APT-C-23 APT-C-23 sends malicious links to victims to download the masqueraded application.1716
G1002 BITTER BITTER has delivered malicious applications to victims via shortened URLs distributed through SMS, WhatsApp, and various social media platforms.13
S1094 BRATA BRATA has been distributed using phishing techniques, such as push notifications from compromised websites.8
S1083 Chameleon Chameleon has been distributed using phishing links and a Content Distribution Network (CDN) for file distribution.2
S1225 CherryBlos CherryBlos has been distributed through the threat actors’ Telegram group, fake TikTok and Twitter accounts, and YouTube videos.3
S1208 FjordPhantom FjordPhantom has been distributed via email, SMS and other messaging applications.10
S1067 FluBot FluBot has been distributed via malicious links in SMS messages.7
S1231 GodFather GodFather has generated fake notifications to lure the victim to phishing pages.9
S1185 LightSpy LightSpy has delivered malicious links through Telegram channels and Instagram posts.56
S0289 Pegasus for iOS Pegasus for iOS has been distributed via malicious links in SMS messages.4
S1241 RatMilad RatMilad has concealed itself behind variants of a phone number spoofing application, which was distributed through links on social media and communication platforms.1
G0034 Sandworm Team Sandworm Team used SMS-based phishing to target victims with malicious links.15
G1015 Scattered Spider Scattered Spider has sent SMS phishing messages to employee phone numbers with a link to a site configured with a fake credential harvesting login portal.1211
G1029 UNC788 UNC788 has used phishing and social engineering to distribute malware.14

Mitigations

ID Mitigation Description
M1058 Antivirus/Antimalware Some mobile security products offer a loopback VPN used for inspecting traffic. This could proactively block traffic to websites that are known for phishing or appear to be conducting a phishing attack.
M1011 User Guidance Users can be trained to identify social engineering techniques and phishing emails.

References

  1. Gupta, N. (2022, October 5). We Smell A RatMilad Android Spyware. Retrieved August 27, 2025. 

  2. ThreatFabric. (2023, December 21). Android Banking Trojan Chameleon can now bypass any Biometric Authentication. Retrieved July 7, 2025. 

  3. Trend Micro Research. (2023, July 28). Related CherryBlos and FakeTrade Android Malware Involved in Scam Campaigns. Retrieved March 28, 2025. 

  4. Marczak, B., et al. (2020, December 20). The Great iPwn. Retrieved April 3, 2024. 

  5. Firsh, A., et al. (2020, March 26). iOS exploit chain deploys LightSpy feature-rich malware. Retrieved January 13, 2025. 

  6. Shoshin, P. (2020, March 27). LightSpy spyware targets iPhone users in Hong Kong. Retrieved February 12, 2025. 

  7. Europol. (2022, June 1). Takedown of SMS-based FluBot spyware infecting Android phones. Retrieved April 18, 2024. 

  8. Securelist. (2019, August 29). Fully equipped Spying Android RAT from Brazil: BRATA. Retrieved December 18, 2023. 

  9. Merkle Science. (2023, April 25). The Godfather Android Malware: Threat under the lens. Retrieved July 16, 2025. 

  10. Promon Security Research Team. (2024, October 1). Retrieved February 19, 2025. 

  11. Mandiant Incident Response. (2025, May 6). Defending Against UNC3944: Cybercrime Hardening Guidance from the Frontlines. Retrieved October 13, 2025. 

  12. Microsoft. (2023, October 25). Octo Tempest crosses boundaries to facilitate extortion, encryption, and destruction. Retrieved March 18, 2024. 

  13. BlackBerry Research and Insights Team. (n.d.). Mobile Malware and APT Espionage. Retrieved March 1, 2024. 

  14. Agranovich, D., et al. (2022, April). Adversarial Threat Report. Retrieved April 2, 2024. 

  15. Billy Leonard. (2023, April 19). Ukraine remains Russia’s biggest cyber focus in 2023. Retrieved March 1, 2024. 

  16. CheckPoint Research. (2020, February 16). Hamas Android Malware On IDF Soldiers-This is How it Happened. Retrieved November 17, 2024. 

  17. Kohli, P. (2021, November 23). Android APT spyware, targeting Middle East victims, enhances evasiveness. Retrieved November 17, 2024.