Standard Application Layer Protocol
Adversaries may communicate using a common, standardized application layer protocol such as HTTP, HTTPS, SMTP, or DNS to avoid detection by blending in with existing traffic.
In the mobile environment, the Google Cloud Messaging (GCM; two-way) and Apple Push Notification Service (APNS; one-way server-to-device) are commonly used protocols on Android and iOS respectively that would blend in with routine device traffic and are difficult for enterprises to inspect. Google reportedly responds to reports of abuse by blocking access to GCM.
|Android/Chuli.A||Android/Chuli.A used HTTP uploads to a URL as a command and control mechanism. |
|Dark Caracal||Dark Caracal controls implants using standard HTTP communication. |
|Exodus||Exodus One checks in with the command and control server using HTTP POST requests. |
|Gustuff||Gustuff communicates with the command and control server using HTTP requests. |
|Pallas||Pallas exfiltrates data using HTTP. |
|RedDrop||RedDrop uses standard HTTP for communication and exfiltration. |
|Riltok||Riltok communicates with the command and control server using HTTP requests. |
|Rotexy||Rotexy can communicate with the command and control server using JSON payloads sent in HTTP POST request bodies. It can also communicate by using JSON messages sent through Google Cloud Messaging. |
|RuMMS||RuMMS uses HTTP for command and control. |
|Skygofree||Skygofree can be controlled via HTTP, XMPP, FirebaseCloudMessaging, or GoogleCloudMessaging in older versions. |
|Trojan-SMS.AndroidOS.Agent.ao||Trojan-SMS.AndroidOS.Agent.ao uses Google Cloud Messaging (GCM) for command and control. |
|Trojan-SMS.AndroidOS.FakeInst.a||Trojan-SMS.AndroidOS.FakeInst.a uses Google Cloud Messaging (GCM) for command and control. |
|Trojan-SMS.AndroidOS.OpFake.a||Trojan-SMS.AndroidOS.OpFake.a uses Google Cloud Messaging (GCM) for command and control. |
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.
- Roman Unuchek and Victor Chebyshev. (2014, February 24). Mobile Malware Evolution: 2013. Retrieved December 22, 2016.
- Costin Raiu, Denis Maslennikov, Kurt Baumgartner. (2013, March 26). Android Trojan Found in Targeted Attack. Retrieved December 23, 2016.
- Wu Zhou, Deyu Hu, Jimmy Su, Yong Kang. (2016, April 26). RUMMS: THE LATEST FAMILY OF ANDROID MALWARE ATTACKING USERS IN RUSSIA VIA SMS PHISHING. Retrieved February 6, 2017.
- Nikita Buchka and Alexey Firsh. (2018, January 16). Skygofree: Following in the footsteps of HackingTeam. Retrieved September 24, 2018.
- Nell Campbell. (2018, February 27). RedDrop: the blackmailing mobile malware family lurking in app stores. Retrieved September 18, 2018.
- Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.
- Tatyana Shishkova. (2019, June 25). Riltok mobile Trojan: A banker with global reach. Retrieved August 7, 2019.
- Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019.
- Vitor Ventura. (2019, April 9). Gustuff banking botnet targets Australia . Retrieved September 3, 2019.
- T. Shishkova, L. Pikman. (2018, November 22). The Rotexy mobile Trojan – banker and ransomware. Retrieved September 23, 2019.