Live Active security incident? Get immediate response
MITRE ATT&CK® Malware

S0295: RCSAndroid

RCSAndroid is Android malware. [1]

MobileS0295MalwareObject v1.2 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

RCSAndroid is an Android malware entry in ATT&CK with relationships showing mobile surveillance and data collection behaviors: runtime code download, access to stored app/local data, clipboard, SMS, location, audio, and video capture, plus out-of-band communications. For leaders, the practical issue is not just “malware on a phone”; it is the potential exposure of executive communications, credentials copied through mobile workflows, physical location patterns, and sensitive business data stored on or accessible from Android devices.

Executive priority

Treat this as a mobile risk validation case for high-value users and managed Android fleets. Priority questions: which Android devices can access sensitive business systems, whether mobile permissions and sideloading are governed, whether rooted or compromised devices are blocked from enterprise access, and whether SOC/IR teams can produce evidence of mobile app inventory, permissions, device posture, and suspicious mobile network behavior. The audio, video, SMS, clipboard, and location relationships make this relevant to privacy, compliance evidence, executive protection, and cyber-physical exposure where mobile devices are used in sensitive environments.

Technical view

ATT&CK provides no official detection text and no tactics for this malware object, so defenders should validate coverage against the related Android techniques rather than rely on a single malware signature. Focus on Android telemetry that can reveal dynamic code loading after installation, abnormal permission combinations, access to SMS/content providers, microphone/camera/location use, clipboard monitoring where observable, local or application data access, and communications over nonstandard or out-of-band paths. IR teams should be prepared to preserve mobile device posture, installed application details, permissions, network indicators, and evidence of rooting or elevated access where available.

Likely telemetry

  • Android device inventory and OS/version posture from enterprise mobility or device management tooling
  • Installed application inventory, package metadata, signing/source information, and sideloading status
  • Application permission declarations and runtime permission grants for microphone, camera, location, SMS, storage, clipboard-related behavior, and background location
  • Mobile threat defense or endpoint telemetry for dynamic code loading, downloaded executable content, and suspicious post-install behavior
  • Network telemetry from mobile devices, including unusual destinations, data transfer patterns, and possible fallback or out-of-band communication indicators

Detection direction

  • Map detections to the related techniques: T1407, T1409, T1414, T1429, T1430, T1512, T1533, T1636.004, and T1644, because the malware object itself has no official detection guidance.
  • Validate behavioral detection beyond static app scanning; T1407 indicates code may be downloaded after installation, which can reduce confidence in pre-install or app-store-only review.
  • Tune permission-risk analytics for combinations that are sensitive in business contexts, such as microphone plus camera plus background location plus SMS or broad storage access, while accounting for legitimate enterprise apps that require these permissions.
  • Check blind spots around BYOD, unmanaged Android devices, personal messaging apps, external storage, and mobile telemetry that is not forwarded to the SOC.
  • For out-of-band data behavior, confirm whether SMS, Bluetooth, NFC, push notification abuse, or cellular/Wi-Fi gaps are observable in the organization’s mobile monitoring model.

Mitigation priorities

  • Prioritize managed Android enrollment, device compliance checks, and conditional access for users or devices that can reach sensitive business systems.
  • Restrict sideloading and enforce approved application sources or allowlisting where operationally feasible.
  • Govern high-risk permissions, especially microphone, camera, location, SMS, storage, and background location, with exception handling for legitimate business apps.
  • Maintain Android OS and security patch currency and block rooted or policy-noncompliant devices from enterprise access where supported by the access model.
  • Use mobile app vetting that includes behavioral or dynamic analysis, not only static package review, because the related behavior includes downloading new code at runtime.
Analyst notes and limits

The supplied ATT&CK object is sparse: the official description only states that RCSAndroid is Android malware, and detection is not provided. The strongest decision value comes from the supplied relationships, which indicate the behaviors defenders should validate across the Android fleet. The external reference title also points to spying functionality and rooting behavior, but this take avoids expanding beyond the supplied ATT&CK fields and relationship descriptions.

No active exploitation, victimology, attribution, indicators, command-and-control infrastructure, or guaranteed detection logic is provided in the supplied fields. Tactics are not specified. Any assessment of exposure requires local evidence: Android fleet scope, BYOD policy, device management coverage, mobile telemetry retention, app inventory, permission state, and access paths from mobile devices into enterprise systems.

Official MITRE ATT&CK definition

RCSAndroid

RCSAndroid is Android malware. [1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

9 rows
Domain ID Name Relationship / procedure
Mobile T1429 Audio Capture

RCSAndroid can record audio using the device microphone.CitationTrendMicro-RCSAndroid
Mobile T1636.004 SMS Messages Sub-technique

RCSAndroid can collect SMS, MMS, and Gmail messages.CitationTrendMicro-RCSAndroid
Mobile T1409 Stored Application Data

RCSAndroid can collect contacts and messages from popular applications, including Facebook Messenger, WhatsApp, Skype, Viber, Line, WeChat, Hangouts, Telegram, and BlackBerry Messenger.CitationTrendMicro-RCSAndroid
Mobile T1644 Out of Band Data

RCSAndroid can use SMS for command and control.CitationTrendMicro-RCSAndroid
Mobile T1407 Download New Code at Runtime

RCSAndroid has the ability to dynamically download and execute new code at runtime.CitationTrendMicro-RCSAndroid
Mobile T1414 Clipboard Data

RCSAndroid can monitor clipboard content.CitationTrendMicro-RCSAndroid
Mobile T1533 Data from Local System

RCSAndroid can collect passwords for Wi-Fi networks and online accounts, including Skype, Facebook, Twitter, Google, WhatsApp, Mail, and LinkedIn.CitationTrendMicro-RCSAndroid
Mobile T1512 Video Capture

RCSAndroid can capture photos using the front and back cameras.CitationTrendMicro-RCSAndroid
Mobile T1430 Location Tracking

RCSAndroid can record location.CitationTrendMicro-RCSAndroid
Relationship explorer

All related ATT&CK context

uses · Technique T1429: Audio Capture Mobile uses · Technique T1636.004: SMS Messages Mobile uses · Technique T1409: Stored Application Data Mobile uses · Technique T1644: Out of Band Data Mobile uses · Technique T1407: Download New Code at Runtime Mobile uses · Technique T1414: Clipboard Data Mobile uses · Technique T1533: Data from Local System Mobile uses · Technique T1512: Video Capture Mobile uses · Technique T1430: Location Tracking Mobile
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.2
Created
Modified
Raw hash
d9840abe71754f7e...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.2 Current bundle d9840abe7175…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    TrendMicro-RCSAndroid

    Veo Zhang. (2015, July 21). Hacking Team RCSAndroid Spying Tool Listens to Calls; Roots Devices to Get In. Retrieved December 22, 2016.

    Open source URL
  2. [2]
    RCSAndroid

    (Citation: TrendMicro-RCSAndroid)

  3. [3]
    mitre-attack S0295
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use