S0079: MobileOrder
MobileOrder is a Trojan intended to compromise Android mobile devices. It has been used by Scarlet Mimic. [1]
Analyst context for executives and security teams
MobileOrder is an ATT&CK-listed Trojan intended to compromise Android mobile devices and associated by MITRE with Scarlet Mimic reporting. Its business significance is less about a specific enterprise platform listing and more about mobile endpoint risk: a compromised phone can expose local data, browser context, system details, and communications paths that may support espionage, data loss, or incident expansion.
Executive priority
Treat this as a prompt to validate mobile security governance, especially for users handling sensitive communications or regulated data. Leaders should ask whether Android devices are inventoried, monitored, subject to acceptable-use and app controls, and included in incident response evidence collection. Because ATT&CK provides no official detection guidance for this object, assurance should come from verified telemetry and response procedures rather than assumed tool coverage.
Technical view
SOC and IR teams should map MobileOrder-relevant behavior to the supplied relationships: local data collection, process/system/file/browser discovery, ingress tool transfer, and exfiltration over an existing C2 channel. Validate whether mobile device management, mobile threat defense, endpoint/network telemetry, DNS/proxy logs, and device forensic processes can show suspicious application behavior, unusual outbound communications, unexpected file access, and discovery activity. The object itself has no ATT&CK platforms or tactics specified, so local Android telemetry and the related techniques should drive practical coverage assessment.
Likely telemetry
- Android device inventory and enrollment status from mobile management systems
- Installed application/package metadata and app permission records where available
- Mobile threat defense or device security alerts for suspicious app behavior
- Network, DNS, proxy, or secure web gateway records showing outbound communications from mobile devices
- Evidence of local file, browser, process, and system information access when device telemetry supports it
Detection direction
- Confirm that mobile devices are in logging scope; unmanaged or personal Android devices are a likely blind spot.
- Hunt for combinations of discovery-like behavior, local data access, and unusual outbound communications rather than relying on a single indicator.
- Review network egress from mobile segments for persistent or abnormal communications that could carry command-and-control and exfiltration traffic.
- Tune carefully around legitimate mobile app synchronization, browser activity, and device management traffic to reduce false positives.
- Use the related ATT&CK techniques as analytic anchors because the MobileOrder object does not include official detection text.
Mitigation priorities
- Prioritize Android device inventory, enrollment, and policy enforcement for users with sensitive access.
- Limit installation of untrusted applications and review app permissions according to organizational policy.
- Apply mobile OS and application update processes and remove unsupported or noncompliant devices from sensitive access paths.
- Segment and monitor mobile network access, especially where mobile devices can reach internal resources.
- Ensure IR playbooks include mobile device isolation, evidence preservation, and account/session review for users tied to suspected devices.
Analyst notes and limits
MITRE identifies MobileOrder as an Android-focused Trojan and links its use to Scarlet Mimic. The relationship context ties the malware to discovery, collection, ingress transfer, and exfiltration behaviors, which are useful for defensive validation even though the object has no specified ATT&CK tactics, platforms, aliases, or official detection guidance.
This take is constrained to the supplied ATT&CK fields and relationships. It does not establish current activity, customer exposure, specific indicators, vendor detection capability, or guaranteed platform coverage. Local device ownership models, logging availability, and mobile security architecture determine the real risk and detection feasibility.
MobileOrder
MobileOrder is a Trojan intended to compromise Android mobile devices. It has been used by Scarlet Mimic. [1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1041 | Exfiltration Over C2 Channel | MobileOrder exfiltrates data to its C2 server over the same protocol as C2 communications.CitationScarlet Mimic Jan 2016 |
| Enterprise | T1105 | Ingress Tool Transfer | MobileOrder has a command to download a file from the C2 server to the victim mobile device's SD card.CitationScarlet Mimic Jan 2016 |
| Enterprise | T1005 | Data from Local System | MobileOrder exfiltrates data collected from the victim mobile device.CitationScarlet Mimic Jan 2016 |
| Enterprise | T1057 | Process Discovery | MobileOrder has a command to upload information about all running processes to its C2 server.CitationScarlet Mimic Jan 2016 |
| Enterprise | T1082 | System Information Discovery | MobileOrder has a command to upload to its C2 server victim mobile device information, including IMEI, IMSI, SIM card serial number, phone number, Android version, and other information.CitationScarlet Mimic Jan 2016 |
| Enterprise | T1083 | File and Directory Discovery | MobileOrder has a command to upload to its C2 server information about files on the victim mobile device, including SD card size, installed app list, SMS content, contacts, and calling history.CitationScarlet Mimic Jan 2016 |
| Enterprise | T1217 | Browser Information Discovery | MobileOrder has a command to upload to its C2 server victim browser bookmarks.CitationScarlet Mimic Jan 2016 |
Groups, software, and campaigns
G0029: Scarlet Mimic
Scarlet Mimic is a threat group that has targeted minority rights activists. This group has not been directly linked to a government source, but the group's motivations appear to overlap with those of the Chinese government. While there is some overlap between IP addresses used by Scarlet Mimic and Putter Panda, it has not been concluded that the groups are the same. [1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | aa82fa0decf2… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Scarlet Mimic Jan 2016
Falcone, R. and Miller-Osborn, J.. (2016, January 24). Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists. Retrieved February 10, 2016.
Open source URL -
[2]
mitre-attack S0079Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.