Live Active security incident? Get immediate response
MITRE ATT&CK® Malware

S0308: Trojan-SMS.AndroidOS.OpFake.a

Trojan-SMS.AndroidOS.OpFake.a is Android malware. [1]

MobileS0308MalwareObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

Trojan-SMS.AndroidOS.OpFake.a is identified by ATT&CK as Android malware with a relationship to mobile Web Protocols communication. For leaders, the practical issue is not a specific confirmed breach scenario; it is whether mobile endpoints that can reach corporate identity, email, messaging, or cloud services are visible enough for security teams to investigate suspicious web-based command or data traffic.

Executive priority

Treat this as a mobile visibility and response-readiness question. If Android devices are part of the business environment, executives should ask whether mobile device inventory, application control, web/DNS visibility, and incident response procedures provide enough evidence to identify and contain malicious mobile software. This matters for business continuity, identity risk, audit evidence, and SOC triage because web protocol traffic can blend into normal mobile application activity.

Technical view

ATT&CK provides no detection text, no tactics, and no platform field for this software object, but the official description identifies it as Android malware and the relationship states it uses T1437.001 Web Protocols. SOC and IR teams should validate whether they can correlate mobile app/package inventory with outbound HTTP/HTTPS or related web-protocol activity, especially from managed Android devices. Detection work should focus on abnormal destinations, unusual mobile app network behavior, and correlation with device posture rather than assuming a fixed indicator set from ATT&CK.

Likely telemetry

  • MDM/EMM inventory for Android devices, installed applications, package names, versions, and device posture
  • Mobile threat defense or endpoint security events where deployed
  • Network egress logs for mobile devices, including proxy, secure web gateway, firewall, and VPN telemetry
  • DNS query logs and destination reputation/context for mobile-originated traffic
  • HTTP/HTTPS metadata where legally and technically available, such as hostnames, SNI, user-agent, URI patterns, and connection timing

Detection direction

  • Confirm whether managed Android devices are actually represented in SOC telemetry; unmanaged or BYOD devices may be a major blind spot.
  • Build detections around suspicious mobile web-protocol behavior, not just malware names, because ATT&CK supplies no official detection logic for this object.
  • Tune for false positives from legitimate mobile apps that use frequent HTTP/HTTPS connections, push services, advertising networks, and content delivery networks.
  • Correlate network anomalies with app installation events, device posture changes, and identity access activity to improve confidence.
  • Use the T1437.001 relationship to validate coverage for web-protocol command-and-control-style communications in mobile environments.

Mitigation priorities

  • Maintain an accurate inventory of Android devices that access enterprise resources.
  • Apply mobile device management controls for approved apps, device posture, and removal or quarantine workflows.
  • Restrict enterprise access from devices that are unmanaged, noncompliant, or lacking required security controls.
  • Ensure web, DNS, VPN, and cloud access logging can support mobile incident investigations.
  • Document mobile malware response procedures, including user notification, device isolation, credential review, and evidence preservation.
Analyst notes and limits

The software name and external reference identify this as Android malware, and ATT&CK links it to Web Protocols. The supplied ATT&CK data does not include aliases, tactics, labels, official detection guidance, or detailed behavior beyond that relationship. Local environment context is required to decide whether this is primarily a managed mobile, BYOD, identity, or network-monitoring risk.

This take is limited to the provided ATT&CK fields, external references, and relationship context. It does not assert active exploitation, attribution, specific victims, specific SMS behavior, or guaranteed detection coverage. Platforms are not listed on the software object, although the official description says Android malware and the related technique includes Android and iOS.

Official MITRE ATT&CK definition

Trojan-SMS.AndroidOS.OpFake.a

Trojan-SMS.AndroidOS.OpFake.a is Android malware. [1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Mobile T1437.001 Web Protocols Sub-technique

Trojan-SMS.AndroidOS.OpFake.a uses Google Cloud Messaging (GCM) for command and control.CitationKaspersky-MobileMalware
Relationship explorer

All related ATT&CK context

uses · Technique T1437.001: Web Protocols Mobile
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
51b77ad3bf59feed...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 51b77ad3bf59…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Kaspersky-MobileMalware

    Roman Unuchek and Victor Chebyshev. (2014, February 24). Mobile Malware Evolution: 2013. Retrieved December 22, 2016.

    Open source URL
  2. [2]
    Trojan-SMS.AndroidOS.OpFake.a

    (Citation: Kaspersky-MobileMalware)

  3. [3]
    mitre-attack S0308
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use