OS-vendor provided communication channels

Google and Apple provide Google Cloud Messaging and Apple Push Notification Service, respectively, services designed to enable efficient communication between third-party mobile app backend servers and the mobile apps running on individual devices. These services maintain an encrypted connection between every mobile device and Google or Apple that cannot easily be inspected and must be allowed to traverse networks as part of normal device operation. These services could be used by adversaries for communication to compromised mobile devices. [1] [2]

ID: T1390

Tactic: Adversary Opsec

Version: 1.0

Detection

Detectable by Common Defenses (Yes/No/Partial): No

Explanation: These services are heavily utilized by mainstream mobile app developers. High volume of communications makes it extremely hard for a defender to distinguish between legitimate and adversary communications.

Difficulty for the Adversary

Easy for the Adversary (Yes/No): Yes

Explanation: These are free services provided by Google and Apple to app developers, and information on how to use them is readily available.

References

  1. Roman Unuchek, Victor Chebyshev. (2014, February 24). Mobile Malware Evolution: 2013. Retrieved April 12, 2017.
  1. Alberto Coletta, Victor van der Veen, and Federico Maggi. (2016). DroydSeuss: A Mobile Banking Trojan Tracker - Short Paper. Retrieved April 12, 2017.