Application Layer Protocol

Sub-techniques (1)

ID	Name
T1437.001	Web Protocols

Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the mobile device, and often the results of those commands, will be embedded within the protocol traffic between the mobile device and server.

Adversaries may utilize many different protocols, including those used for web browsing, transferring files, electronic mail, or DNS.

ID: T1437

Sub-techniques: T1437.001

Tactic Type: Post-Adversary Device Access

ⓘ

Tactic: Command and Control

ⓘ

Platforms: Android, iOS

ⓘ

MTC ID: APP-29

Version: 1.2

Created: 25 October 2017

Last Modified: 19 April 2022

Version Permalink

Live Version

Procedure Examples

ID	Name	Description
S0550	DoubleAgent	DoubleAgent has used both FTP and TCP sockets for data exfiltration.^[1]
S1054	Drinik	Drinik has code to use Firebase Cloud Messaging for receiving C2 instructions.^[2]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

Abuse of standard application protocols can be difficult to detect as many legitimate mobile applications leverage such protocols for language-specific APIs. Enterprises may be better served focusing on detection at other stages of adversarial behavior.

References

A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.

Cyble. (2022, October 27). Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers. Retrieved January 18, 2023.