Standard Application Layer Protocol

Adversaries may communicate using a common, standardized application layer protocol such as HTTP, HTTPS, SMTP, or DNS to avoid detection by blending in with existing traffic.

In the mobile environment, the Google Cloud Messaging (GCM; two-way) and Apple Push Notification Service (APNS; one-way server-to-device) are commonly used protocols on Android and iOS respectively that would blend in with routine device traffic and are difficult for enterprises to inspect. Google reportedly responds to reports of abuse by blocking access to GCM.[1]

ID: T1437

Tactic Type:  Post-Adversary Device Access

Tactic: Command And Control, Exfiltration

Platform:  Android, iOS

MTC ID:  APP-29

Version: 1.1

Examples

NameDescription
Android/Chuli.A

Android/Chuli.A used HTTP uploads to a URL as a command and control mechanism.[2]

RedDrop

RedDrop exfiltrates data using standard HTTP.[3]

RuMMS

RuMMS uses HTTP for command and control.[4]

Skygofree

Skygofree can be controlled via HTTP, XMPP, FirebaseCloudMessaging, or GoogleCloudMessaging in older versions.[5]

Trojan-SMS.AndroidOS.Agent.ao

Trojan-SMS.AndroidOS.Agent.ao uses Google Cloud Messaging (GCM) for command and control.[1]

Trojan-SMS.AndroidOS.FakeInst.a

Trojan-SMS.AndroidOS.FakeInst.a uses Google Cloud Messaging (GCM) for command and control.[1]

Trojan-SMS.AndroidOS.OpFake.a

Trojan-SMS.AndroidOS.OpFake.a uses Google Cloud Messaging (GCM) for command and control.[1]

References