Live Active security incident? Get immediate response
MITRE ATT&CK® Malware

S0292: AndroRAT

AndroRAT is an open-source remote access tool for Android devices. AndroRAT is capable of collecting data, such as device location, call logs, etc., and is capable of executing actions, such as sending SMS messages and taking pictures.[1][2][3] It is originally available through the `The404Hacking` Github repository.[2]

MobileS0292MalwareObject v1.1 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

AndroRAT matters because it turns an Android device into a remote collection and action platform. For an organization, the practical risk is not just “mobile malware”; it is exposure of location, calls, contacts, SMS content, microphone/camera data, and the ability to send SMS or control calls from a trusted user device. That can affect executive privacy, incident communications, regulated data handling, and physical security where mobile location or camera/audio access is sensitive.

Executive priority

Leaders should treat this as a mobile endpoint and privacy-resilience issue. The key business question is whether corporate Android devices, BYOD devices with business access, or high-risk user devices are governed well enough to prevent or detect applications with excessive permissions, spoofed names/icons, or access to sensitive mobile content. This object supports prioritizing mobile device management, application governance, permission review, and incident response playbooks for compromised phones, especially for executives, field staff, and personnel handling sensitive communications.

Technical view

ATT&CK lists AndroRAT as Android malware with relationships to discovery, collection, device sensor capture, SMS/call control, and masquerading-style behavior. SOC and IR teams should validate whether they can identify Android applications requesting or using permissions associated with location, microphone, camera, SMS, calls, contacts, call logs, and network configuration discovery. Because ATT&CK provides no official detection text for this object and tactics are not specified, detections should be built from the related techniques and local mobile telemetry rather than from a single malware signature.

Likely telemetry

  • Mobile device inventory and installed application/package metadata on Android devices
  • Application permission manifests and permission grant history for location, microphone, camera, SMS, phone, contacts, and call log access
  • Mobile security or MDM alerts for suspicious, sideloaded, spoofed, or policy-violating applications
  • Android application names, icons, package names, signing information, and install source where available
  • SMS send/receive activity and default SMS handler changes where collected and legally permitted

Detection direction

  • Map mobile detections to the related ATT&CK techniques: T1422, T1429, T1430, T1512, T1582, T1616, T1636.002, T1636.003, T1636.004, and T1655.001.
  • Validate coverage for Android apps that request combinations of sensitive permissions inconsistent with their business purpose, especially SMS, phone, contacts, call logs, microphone, camera, and location.
  • Tune for masquerading indicators such as apps approximating legitimate names, icons, package names, or locations, while accounting for false positives from legitimate enterprise apps with broad permissions.
  • Prioritize high-risk users and devices because audio, video, location, SMS, contacts, and call data may have executive, legal, operational, or physical-security sensitivity.
  • Do not rely only on network indicators or malware names; the supplied object is an open-source remote access tool and ATT&CK does not provide official detection logic for this software entry.

Mitigation priorities

  • Establish or validate mobile application governance for Android devices, including approved app sources, app vetting, and controls over sideloading where business policy permits.
  • Use MDM or equivalent mobile controls to enforce least-privilege application permissions and restrict unnecessary access to SMS, calls, contacts, call logs, microphone, camera, and location.
  • Apply stricter controls and monitoring for executive, administrator, field, and other sensitive-user devices.
  • Prepare IR procedures for suspected Android compromise, including device isolation, evidence preservation, application inventory review, credential/session review, and privacy/legal handling for mobile content.
  • Use compliance evidence from mobile inventory, permission policy, app approval records, and incident response procedures to demonstrate governance over sensitive mobile data access.
Analyst notes and limits

The strongest defensive value comes from treating AndroRAT as a pattern of Android remote access behaviors rather than only a named malware family. The relationships indicate the behaviors defenders should validate: network configuration discovery, audio/video/location collection, SMS and call control, call log/contact/SMS collection, and matching legitimate names or locations.

ATT&CK provides no official detection text, no tactics for this object in the supplied fields, and no aliases. The supplied data supports Android as the platform for AndroRAT; any assessment of exposure, active exploitation, attribution, or existing detection coverage requires local device inventory, mobile telemetry, and incident evidence.

Official MITRE ATT&CK definition

AndroRAT

AndroRAT is an open-source remote access tool for Android devices. AndroRAT is capable of collecting data, such as device location, call logs, etc., and is capable of executing actions, such as sending SMS messages and taking pictures.[1][2][3] It is originally available through the `The404Hacking` Github repository.[2]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

10 rows
Domain ID Name Relationship / procedure
Mobile T1582 SMS Control

AndroRAT can send SMS messages.Citationforcepoint_bitter
Mobile T1636.002 Call Log Sub-technique

AndroRAT collects call logs.CitationLookout-EnterpriseAppsCitationforcepoint_bitter
Mobile T1512 Video Capture

AndroRAT can take photos and videos using the device cameras.Citationforcepoint_bitter
Mobile T1636.004 SMS Messages Sub-technique

AndroRAT captures SMS messages.CitationLookout-EnterpriseAppsCitationforcepoint_bitter
Mobile T1636.003 Contact List Sub-technique

AndroRAT collects contact list information.CitationLookout-EnterpriseAppsCitationforcepoint_bitter
Mobile T1429 Audio Capture

AndroRAT gathers audio from the microphone.CitationLookout-EnterpriseAppsCitationforcepoint_bitter
Mobile T1422 System Network Configuration Discovery

AndroRAT collects the device’s location through GPS or through network settings.Citationforcepoint_bitter
Mobile T1655.001 Match Legitimate Name or Location Sub-technique

AndroRAT masquerades as legitimate applications.Citationforcepoint_bitterCitationblackberry_mobile_malware_apt_esp
Mobile T1616 Call Control

AndroRAT can make phone calls.Citationforcepoint_bitter
Mobile T1430 Location Tracking

AndroRAT tracks the device location.CitationLookout-EnterpriseApps
Relationship explorer

All related ATT&CK context

uses · Technique T1582: SMS Control Mobile uses · Technique T1636.002: Call Log Mobile uses · Technique T1512: Video Capture Mobile uses · Technique T1636.004: SMS Messages Mobile uses · Technique T1636.003: Contact List Mobile uses · Technique T1429: Audio Capture Mobile uses · Technique T1422: System Network Configuration Discovery Mobile uses · Technique T1655.001: Match Legitimate Name or Location Mobile uses · Technique T1616: Call Control Mobile uses · Technique T1430: Location Tracking Mobile
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.1
Created
Modified
Raw hash
8bfe77b526e60eff...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.1 Current bundle 8bfe77b526e6…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Lookout-EnterpriseApps

    Lookout. (2016, May 25). 5 active mobile threats spoofing enterprise apps. Retrieved December 19, 2016.

    Open source URL
  2. [2]
    github_androrat

    The404Hacking. (n.d.). AndroRAT. Retrieved November 17, 2024.

    Open source URL
  3. [3]
    Forcepoint BITTER Pakistan Oct 2016

    Dela Paz, R. (2016, October 21). BITTER: a targeted attack against Pakistan. Retrieved June 1, 2022.

    Open source URL
  4. [4]
    mitre-attack S0292
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use