Live Active security incident? Get immediate response
MITRE ATT&CK® Malware

S0310: ANDROIDOS_ANSERVER.A

ANDROIDOS_ANSERVER.A is Android malware that is unique because it uses encrypted content within a blog site for command and control. [1]

MobileS0310MalwareObject v1.3 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

ANDROIDOS_ANSERVER.A matters because it shows how Android malware can hide command-and-control direction in legitimate-looking web content, specifically encrypted content on a blog site. For leaders, the practical issue is not this single malware family alone; it is whether mobile security, network monitoring, and incident response processes can recognize suspicious mobile discovery activity and unusual access to public web services that may be used as command-and-control infrastructure.

Executive priority

Prioritize this as a mobile and C2 visibility question. Organizations that rely on Android devices for business operations should ask whether managed mobile devices have enough control and telemetry to investigate malware that profiles device and network information and reaches out to legitimate external web services. The decision value is in validating mobile device management, mobile threat detection, network egress visibility, and incident response evidence before an investigation depends on them.

Technical view

ATT&CK relates this malware to System Network Configuration Discovery, System Information Discovery, and Dead Drop Resolver on Android. SOC and IR teams should validate whether they can observe Android applications collecting device/network attributes and making outbound web requests to public web content that may contain encoded or encrypted resolver data. Because no official ATT&CK detection guidance is provided for this object, detection engineering should be based on local telemetry, the related techniques, and known-good baselines for managed Android devices.

Likely telemetry

  • Android mobile device management inventory and compliance state
  • Mobile threat defense or endpoint security alerts for Android applications
  • Application permission, installation, and provenance data where available
  • Android device/network metadata such as OS version, hardware details, IP address, and MAC address where collection is authorized
  • DNS, proxy, secure web gateway, firewall, or mobile carrier/VPN egress logs for Android device web activity

Detection direction

  • Validate visibility for the related discovery behaviors: collection of system information and network configuration from Android devices.
  • Review whether outbound Android traffic to public web services can be investigated without assuming all legitimate web destinations are benign.
  • Tune detections carefully because access to blogs and common web services can be normal user behavior; context such as unusual app origin, timing, device posture, and repeated resolver-like access is important.
  • Confirm whether encrypted or encoded content retrieved from public sites creates a blind spot for proxy-only inspection.
  • Use relationship context from T1481.001 to look for dead-drop-resolver patterns rather than only fixed known-bad C2 domains.

Mitigation priorities

  • Maintain Android device management coverage for business devices, including application inventory and policy enforcement.
  • Restrict or review installation of untrusted Android applications where organizational policy allows.
  • Ensure mobile web egress is routed through logging points appropriate for business risk and privacy requirements.
  • Baseline normal Android application network behavior so suspicious public-web-service access can be triaged.
  • Prepare IR procedures for mobile malware cases, including device isolation, evidence preservation, and user/privacy approvals.
Analyst notes and limits

The supplied ATT&CK object identifies ANDROIDOS_ANSERVER.A as Android malware notable for using encrypted content within a blog site for command and control. The available relationships indicate discovery of system/network information and use of a dead drop resolver. This supports defensive emphasis on Android telemetry, outbound web visibility, and mobile IR readiness.

ATT&CK provides no official detection text, no tactics in the supplied object, and only one cited external source. This take does not assert current activity, attribution, prevalence, impact, or guaranteed detection. Local device ownership model, mobile logging, privacy rules, and network architecture will determine what can actually be observed.

Official MITRE ATT&CK definition

ANDROIDOS_ANSERVER.A

ANDROIDOS_ANSERVER.A is Android malware that is unique because it uses encrypted content within a blog site for command and control. [1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

3 rows
Domain ID Name Relationship / procedure
Mobile T1481.001 Dead Drop Resolver Sub-technique

ANDROIDOS_ANSERVER.A uses encrypted content within a blog site for part of its command and control. Specifically, the encrypted content contains URLs for other servers to be used for other aspects of command and control.CitationTrendMicro-Anserver
Mobile T1422 System Network Configuration Discovery

ANDROIDOS_ANSERVER.A gathers the device IMEI and IMSI.CitationTrendMicro-Anserver2
Mobile T1426 System Information Discovery

ANDROIDOS_ANSERVER.A gathers the device OS version, device build version, manufacturer, and model.CitationTrendMicro-Anserver2
Relationship explorer

All related ATT&CK context

uses · Technique T1481.001: Dead Drop Resolver Mobile uses · Technique T1422: System Network Configuration Discovery Mobile uses · Technique T1426: System Information Discovery Mobile
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.3
Created
Modified
Raw hash
db5f87c5bead358b...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.3 Current bundle db5f87c5bead…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    TrendMicro-Anserver

    Karl Dominguez. (2011, October 2). Android Malware Uses Blog Posts as C&C. Retrieved February 6, 2017.

    Open source URL
  2. [2]
    ANDROIDOS_ANSERVER.A

    (Citation: TrendMicro-Anserver)

  3. [3]
    mitre-attack S0310
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use