Live Active security incident? Get immediate response
MITRE ATT&CK® Malware

S0307: Trojan-SMS.AndroidOS.Agent.ao

Trojan-SMS.AndroidOS.Agent.ao is Android malware. [1]

MobileS0307MalwareObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

Trojan-SMS.AndroidOS.Agent.ao is listed by ATT&CK as Android malware with a documented relationship to Web Protocols for command-and-control style communications. The business issue is not a specific confirmed impact from the ATT&CK entry, but the coverage question it raises: can the organization see and govern mobile applications that communicate over ordinary HTTP/HTTPS-like traffic, where malicious activity can blend into normal mobile web use?

Executive priority

Treat this as a mobile visibility and control validation item. Leaders should ask whether managed Android devices are inventoried, whether mobile app installation and network activity are logged, and whether SOC/IR teams can investigate suspicious web-protocol traffic from mobile endpoints. This supports resilience, incident readiness, and compliance evidence for mobile device governance without assuming this malware is present in the environment.

Technical view

ATT&CK provides no detection text, tactics, aliases, or malware platform field, but the official description identifies Android malware and the relationship shows use of T1437.001 Web Protocols. SOC and IR teams should validate whether they can correlate mobile app inventory, install events, device ownership/management state, DNS, proxy, firewall, and HTTP/HTTPS metadata for mobile-originated traffic. Detection engineering should focus on suspicious app-to-network behavior over common web protocols rather than relying on the malware name alone.

Likely telemetry

  • MDM/EMM inventory for Android devices and installed applications
  • Mobile app installation, update, and removal events
  • Device compliance and management-state records
  • DNS, proxy, firewall, VPN, or secure web gateway logs for mobile device traffic
  • HTTP/HTTPS metadata where lawfully and technically available

Detection direction

  • Validate that mobile web-protocol traffic can be attributed to a device, user, and where possible an application.
  • Look for unusual or unauthorized mobile applications generating network traffic over common web protocols, while tuning carefully for high volumes of normal mobile app traffic.
  • Correlate network indicators with MDM inventory and device compliance status; unmanaged or poorly inventoried devices are a key blind spot.
  • Do not depend on ATT&CK detection guidance for this object, because none is provided; local baselines and control telemetry are required.
  • Use the related T1437.001 context to test whether HTTP/HTTPS-based mobile communications are visible enough for triage and containment decisions.

Mitigation priorities

  • Prioritize mobile device management and application inventory for Android devices in scope.
  • Enforce approved app sources, app vetting, and policy controls against unauthorized or risky applications where business requirements allow.
  • Ensure mobile traffic from managed devices is routed through logging points such as VPN, proxy, DNS, firewall, or secure web gateway controls as appropriate.
  • Prepare IR procedures for isolating, preserving, and reviewing suspect mobile devices without relying solely on network logs.
  • Use this object as evidence to review mobile detection coverage gaps rather than as proof of current exposure.
Analyst notes and limits

The ATT&CK entry is sparse: it identifies the malware as Android malware and provides one relationship to Web Protocols. The malware name contains 'Trojan-SMS', but the supplied official description does not provide behavioral detail about SMS activity, so this take does not claim specific SMS abuse or impact.

No official detection guidance, tactics, malware platforms field, aliases, labels, or detailed procedure text were supplied. Any assessment of exposure, prevalence, indicators, or confirmed detection requires local telemetry and additional intelligence outside this ATT&CK object.

Official MITRE ATT&CK definition

Trojan-SMS.AndroidOS.Agent.ao

Trojan-SMS.AndroidOS.Agent.ao is Android malware. [1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Mobile T1437.001 Web Protocols Sub-technique

Trojan-SMS.AndroidOS.Agent.ao uses Google Cloud Messaging (GCM) for command and control.CitationKaspersky-MobileMalware
Relationship explorer

All related ATT&CK context

uses · Technique T1437.001: Web Protocols Mobile
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
1d97785c6bb55018...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 1d97785c6bb5…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Kaspersky-MobileMalware

    Roman Unuchek and Victor Chebyshev. (2014, February 24). Mobile Malware Evolution: 2013. Retrieved December 22, 2016.

    Open source URL
  2. [2]
    Trojan-SMS.AndroidOS.Agent.ao

    (Citation: Kaspersky-MobileMalware)

  3. [3]
    mitre-attack S0307
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use