S0302: Twitoor

Twitoor is an Android malware/dropper notable because its command source can be social media rather than a dedicated command-and-control server. For leaders, the practical issue is that blocking known malicious infrastructure alone may not be enough: legitimate external web services can be abused to deliver instructions, and the application may also hide its launcher icon to reduce user visibility.

Executive priority

Prioritize this as a mobile security and incident-response readiness problem where Android devices have access to corporate data, identity tokens, messaging, or operational workflows. The decision value is to confirm whether the organization can inventory installed mobile apps, detect suspicious use of legitimate web services, investigate encrypted mobile network traffic patterns, and support user/device remediation when an app is not obvious to the user. This also supports compliance evidence around mobile device governance and monitoring where corporate-managed Android devices are in scope.

Technical view

ATT&CK lists Twitoor as Android malware and a dropper capable of receiving commands from social media. The relationship context ties it to One-Way Communication, Encrypted Channel, and Suppress Application Icon. SOC, mobile security, and IR teams should validate visibility into Android app inventory, package installation events, launcher/icon state where available, and outbound traffic from mobile apps to legitimate social media or web services. Because no official ATT&CK detection text is provided, detections should be environment-specific and focus on combinations of suspicious mobile app behavior rather than a single indicator.

Likely telemetry

Android mobile device management or enterprise mobility management app inventory
Android package installation, update, and removal events
Mobile threat defense findings, if deployed
Network/DNS/proxy telemetry for Android devices accessing external web and social media services
TLS/encrypted traffic metadata such as destination, frequency, timing, and app/process attribution where available

Detection direction

Validate whether monitoring can associate outbound mobile traffic with the responsible Android application, not just the device IP or user.
Look for unusual or unauthorized Android apps that communicate with social media or external web services, especially when the app has no clear business need.
Tune carefully for false positives because legitimate apps commonly use social media, web APIs, and encrypted channels.
Correlate network behavior with app inventory anomalies, such as recently installed applications, unknown publishers, or applications not visible to users in the launcher.
Include checks for applications that suppress their launcher icon, since this can reduce user-driven discovery and uninstall attempts.

Mitigation priorities

Maintain authoritative inventory and policy enforcement for Android applications on managed devices.
Restrict installation of unapproved applications where business requirements allow.
Ensure mobile IR procedures can preserve and examine Android app, network, and configuration evidence.
Apply network controls and logging for corporate Android traffic, with special attention to app-attributed access to external web services.
Educate help desk and users to escalate reports of apps that disappear from the launcher or are difficult to remove.

Analyst notes and limits

The supplied ATT&CK object is sparse: Twitoor has an official description and relationships to three mobile techniques, but no ATT&CK detection guidance, aliases, labels, or tactics are specified. The most useful defensive framing is therefore control validation: app inventory, mobile network visibility, encrypted-channel metadata, and the ability to investigate hidden Android applications.

This take is limited to the official STIX fields, external references, and stated relationships. It does not establish current activity, attribution, prevalence, specific indicators, or guaranteed detection methods. Local mobile management architecture, allowed app policy, network logging, and privacy/legal constraints will determine practical coverage.

Official MITRE ATT&CK definition

Twitoor

Twitoor is a dropper application capable of receiving commands from social media.[1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

Filter related techniques 3 rows

Domain	ID	Name	Relationship / procedure
Mobile	T1628.001	Suppress Application Icon Sub-technique	Twitoor can hide its presence on the system.CitationESET-Twitoor
Mobile	T1521	Encrypted Channel	Twitoor encrypts its C2 communication.CitationESET-Twitoor
Mobile	T1481.003	One-Way Communication Sub-technique	Twitoor can be controlled via Twitter.CitationESET-Twitoor

Relationship explorer

All related ATT&CK context

uses · Technique T1628.001: Suppress Application Icon Mobile uses · Technique T1521: Encrypted Channel Mobile uses · Technique T1481.003: One-Way Communication Mobile

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 2.0
Created: Oct 25, 2017, 14:48 UTC (UTC+00:00)
Modified: Apr 25, 2025, 14:40 UTC (UTC+00:00)
Raw hash: 43a47d22caac54e5...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	2.0	Apr 25, 2025, 14:40 UTC (UTC+00:00)	Current bundle	`43a47d22caac…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
ESET-Twitoor

ESET. (2016, August 24). First Twitter-controlled Android botnet discovered. Retrieved December 22, 2016.
Open source URL
[2]
Twitoor

(Citation: ESET-Twitoor)
[3]
mitre-attack S0302
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use

Analyst context for executives and security teams