Out of Band Data

Adversaries may communicate with compromised devices using out of band data streams. This could be done for a variety of reasons, including evading network traffic monitoring, as a backup method of command and control, or for data exfiltration if the device is not connected to any Internet-providing networks (i.e. cellular or Wi-Fi). Several out of band data streams exist, such as SMS messages, NFC, and Bluetooth.

On Android, applications can read push notifications to capture content from SMS messages, or other out of band data streams. This requires that the user manually grant notification access to the application via the settings menu. However, the application could launch an Intent to take the user directly there.

On iOS, there is no way to programmatically read push notifications.

ID: T1644
Sub-techniques:  No sub-techniques
Tactic Type: Post-Adversary Device Access
Platforms: Android, iOS
Version: 2.1
Created: 06 April 2022
Last Modified: 20 March 2023

Procedure Examples

ID Name Description
S0304 Android/Chuli.A

Android/Chuli.A used SMS to receive command and control messages.[1]

S1079 BOULDSPY

BOULDSPY can use SMS to send C2 commands.[2]

S0655 BusyGasper

BusyGasper can perform actions when one of two hardcoded magic SMS strings is received.[3]

S0529 CarbonSteal

CarbonSteal has used specially crafted SMS messages to control the target device.[4]

S0505 Desert Scorpion

Desert Scorpion can be controlled using SMS messages.[5]

S0406 Gustuff

Gustuff can use SMS for command and control from a defined admin phone number.[6]

S0407 Monokle

Monokle can be controlled via email and SMS from a set of "control phones."[7]

S0316 Pegasus for Android

Pegasus for Android uses SMS for command and control.[8]

S0289 Pegasus for iOS

Pegasus for iOS uses SMS for command and control.[9]

S0295 RCSAndroid

RCSAndroid can use SMS for command and control.[10]

S0411 Rotexy

Rotexy can be controlled through SMS messages.[11]

S1055 SharkBot

SharkBot can use the "Direct Reply" feature of Android to automatically reply to notifications with a message provided by C2.[12]

S0327 Skygofree

Skygofree can be controlled via binary SMS.[13]

S0324 SpyDealer

SpyDealer enables remote control of the victim through SMS channels.[14]

S0328 Stealth Mango

Stealth Mango uses commands received from text messages for C2.[15]

S0427 TrickMo

TrickMo can be controlled via encrypted SMS message.[16]

Mitigations

ID Mitigation Description
M1011 User Guidance

Users should be instructed to not grant applications unexpected or unnecessary permissions.

Detection

ID Data Source Data Component Detects
DS0042 User Interface System Notifications

If the user sees a notification with text they do not recognize, they should review their list of installed applications.

References