1. Home
  2. Techniques
  3. Mobile
  4. Phishing

Phishing

Adversaries may send malicious content to users in order to gain access to their mobile devices. All forms of phishing are electronically delivered social engineering. Adversaries can conduct both non-targeted phishing, such as in mass malware spam campaigns, as well as more targeted phishing tailored for a specific individual, company, or industry, known as "spearphishing." Phishing often involves social engineering techniques, such as posing as a trusted source, as well as evasion techniques, such as removing or manipulating emails or metadata/headers from compromised accounts being abused to send messages.

Mobile phishing may take various forms. For example, adversaries may send emails containing malicious attachments or links, typically to deliver and then execute malicious code on victim devices. Phishing may also be conducted via third-party services, like social media platforms. Adversaries may also impersonate executives of organizations to persuade victims into performing some action on their behalf. For example, adversaries will often use social engineering techniques in text messages to trick the victims into acting quickly, which leads to adversaries obtaining credentials and other information.

Mobile devices are a particularly attractive target for adversaries executing phishing campaigns. Due to their smaller form factor than traditional desktop endpoints, users may not be able to notice minor differences between genuine and phishing websites. Further, mobile devices have additional sensors and radios that allow adversaries to execute phishing attempts over several different vectors, such as:

  • SMS messages: Adversaries may send SMS messages (known as "smishing") from compromised devices to potential targets to convince the target to, for example, install malware, navigate to a specific website, or enable certain insecure configurations on their device.
  • Quick Response (QR) Codes: Adversaries may use QR codes (known as "quishing") to redirect users to a phishing website. For example, an adversary could replace a legitimate public QR Code with one that leads to a different destination, such as a phishing website. A malicious QR code could also be delivered via other means, such as SMS or email. In the latter case, an adversary could utilize a malicious QR code in an email to pivot from the user’s desktop computer to their mobile device.
  • Phone Calls: Adversaries may call victims (known as "vishing") to persuade them to perform an action, such as providing login credentials or navigating to a malicious website. This could also be used as a technique to perform the initial access on a mobile device, but then pivot to a computer/other network by having the victim perform an action on a desktop computer.
ID: T1660
Sub-techniques:  No sub-techniques
Tactic Type: Post-Adversary Device Access
Tactic: Initial Access
Platforms: Android, iOS
MTC ID: AUT-9
Contributors: Adam Mashinchi; Brian Donohue; Lookout; Naveen Devaraja, bolttech; Sam Seabrook, Duke Energy; Vijay Lalwani; Will Thomas, Equinix
Version: 1.1
Created: 21 September 2023
Last Modified: 20 August 2025
Version Permalink

Procedure Examples

ID Name Description
G1028 APT-C-23

APT-C-23 sends malicious links to victims to download the masqueraded application.[1][2]

G1002 BITTER

BITTER has delivered malicious applications to victims via shortened URLs distributed through SMS, WhatsApp, and various social media platforms.[3]

S1094 BRATA

BRATA has been distributed using phishing techniques, such as push notifications from compromised websites.[4]
S1083 Chameleon

Chameleon has been distributed using phishing links and a Content Distribution Network (CDN) for file distribution.[5]

S1225 CherryBlos

CherryBlos has been distributed through the threat actors’ Telegram group, fake TikTok and Twitter accounts, and YouTube videos.[6]

S1208 FjordPhantom

FjordPhantom has been distributed via email, SMS and other messaging applications.[7]

S1067 FluBot

FluBot has been distributed via malicious links in SMS messages.[8]

S1231 GodFather

GodFather has generated fake notifications to lure the victim to phishing pages.[9]

S1185 LightSpy

LightSpy has delivered malicious links through Telegram channels and Instagram posts.[10][11]

S0289 Pegasus for iOS

Pegasus for iOS has been distributed via malicious links in SMS messages.[12]
S1241 RatMilad

RatMilad has concealed itself behind variants of a phone number spoofing application, which was distributed through links on social media and communication platforms.[13]

G0034 Sandworm Team

Sandworm Team used SMS-based phishing to target victims with malicious links.[14]
G1015 Scattered Spider

Scattered Spider has sent SMS phishing messages to employee phone numbers with a link to a site configured with a fake credential harvesting login portal.[15][16]

G1029 UNC788

UNC788 has used phishing and social engineering to distribute malware.[17]

Mitigations

ID Mitigation Description
M1058 Antivirus/Antimalware

Some mobile security products offer a loopback VPN used for inspecting traffic. This could proactively block traffic to websites that are known for phishing or appear to be conducting a phishing attack.
M1011 User Guidance

Users can be trained to identify social engineering techniques and phishing emails.

Detection Strategy

ID Name Analytic ID Analytic Description
DET0684 Detection of Phishing AN1791

Mobile security products may provide URL inspection services that could determine if a domain being visited is malicious.
Enterprises may be able to detect anomalous traffic originating from mobile devices, which could indicate compromise.
AN1792

Mobile security products may provide URL inspection services that could determine if a domain being visited is malicious.
Enterprises may be able to detect anomalous traffic originating from mobile devices, which could indicate compromise.

References

  1. Kohli, P. (2021, November 23). Android APT spyware, targeting Middle East victims, enhances evasiveness. Retrieved November 17, 2024.
  2. CheckPoint Research. (2020, February 16). Hamas Android Malware On IDF Soldiers-This is How it Happened. Retrieved November 17, 2024.
  3. BlackBerry Research and Insights Team. (n.d.). Mobile Malware and APT Espionage. Retrieved March 1, 2024.
  4. Securelist. (2019, August 29). Fully equipped Spying Android RAT from Brazil: BRATA. Retrieved December 18, 2023.
  5. ThreatFabric. (2023, December 21). Android Banking Trojan Chameleon can now bypass any Biometric Authentication. Retrieved July 7, 2025.
  6. Trend Micro Research. (2023, July 28). Related CherryBlos and FakeTrade Android Malware Involved in Scam Campaigns. Retrieved March 28, 2025.
  7. Promon Security Research Team. (2024, October 1). Retrieved February 19, 2025.
  8. Europol. (2022, June 1). Takedown of SMS-based FluBot spyware infecting Android phones. Retrieved April 18, 2024.
  9. Merkle Science. (2023, April 25). The Godfather Android Malware: Threat under the lens. Retrieved July 16, 2025.
  1. Firsh, A., et al. (2020, March 26). iOS exploit chain deploys LightSpy feature-rich malware. Retrieved January 13, 2025.
  2. Shoshin, P. (2020, March 27). LightSpy spyware targets iPhone users in Hong Kong. Retrieved February 12, 2025.
  3. Marczak, B., et al. (2020, December 20). The Great iPwn. Retrieved April 3, 2024.
  4. Gupta, N. (2022, October 5). We Smell A RatMilad Android Spyware. Retrieved August 27, 2025.
  5. Billy Leonard. (2023, April 19). Ukraine remains Russia’s biggest cyber focus in 2023. Retrieved March 1, 2024.
  6. Microsoft. (2023, October 25). Octo Tempest crosses boundaries to facilitate extortion, encryption, and destruction. Retrieved March 18, 2024.
  7. Mandiant Incident Response. (2025, May 6). Defending Against UNC3944: Cybercrime Hardening Guidance from the Frontlines. Retrieved October 13, 2025.
  8. Agranovich, D., et al. (2022, April). Adversarial Threat Report. Retrieved April 2, 2024.