Live Active security incident? Get immediate response
MITRE ATT&CK® Malware

S0313: RuMMS

RuMMS is an Android malware family. [1]

MobileS0313MalwareObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

RuMMS is identified by ATT&CK as an Android malware family. The business significance is not the name itself, but the mobile behaviors ATT&CK associates with it: collecting device and network information, accessing SMS messages, and communicating over web protocols. For organizations with managed Android fleets or mobile access to business systems, this is a reminder to validate whether mobile security monitoring can show what an app can read, what device details it collects, and where it communicates.

Executive priority

Treat this as a mobile security readiness check rather than a single-malware alarm. Leaders should ask whether Android devices that access corporate email, identity systems, collaboration tools, or operational workflows are covered by enforceable app governance, SMS-permission oversight, and network visibility. Because ATT&CK provides no detection guidance for RuMMS and no object-level tactics or platforms beyond the Android malware description, control assurance should come from local telemetry, mobile device management evidence, and incident response playbooks.

Technical view

SOC, detection, and IR teams should validate coverage around the related ATT&CK behaviors: System Network Configuration Discovery, System Information Discovery, Web Protocols, and SMS Messages. Practical validation should focus on Android app inventory, permission requests and grants involving SMS access, collection of device or network configuration data where observable, and outbound HTTP/HTTPS communications from mobile devices or mobile apps. Since official detection text is not provided, detections should be behavior-led and tuned against approved mobile apps that legitimately use SMS, device metadata, or web communications.

Likely telemetry

  • MDM/UEM inventory for Android devices and installed applications
  • Android application permission state, especially SMS-related permissions where available
  • Mobile threat defense or endpoint-mobile security alerts, if deployed
  • Network, DNS, proxy, or secure web gateway records for mobile device HTTP/HTTPS activity
  • Device metadata collected through management tooling, including OS version and hardware details

Detection direction

  • Confirm whether managed Android devices are enrolled and reporting enough telemetry to investigate suspicious apps.
  • Review apps requesting or using SMS access, especially when SMS access is not required for business function.
  • Baseline normal mobile web traffic so HTTP/HTTPS command-and-control-like behavior is not hidden inside generic web protocol usage.
  • Correlate mobile app installation time, permission grants, SMS access, and outbound network activity rather than relying on a single indicator.
  • Account for false positives from legitimate messaging, authentication, carrier, and device-management applications.

Mitigation priorities

  • Prioritize mobile device enrollment and enforce minimum controls for Android devices that access corporate resources.
  • Restrict untrusted app installation paths and maintain an approved-app policy for business-access devices.
  • Limit SMS permissions to applications with a documented business need and review exceptions regularly.
  • Use network egress controls and monitoring for managed mobile devices where feasible, especially for web protocol traffic.
  • Prepare mobile IR procedures for isolating a device, preserving relevant evidence, removing malicious apps, and validating account access after a suspected compromise.
Analyst notes and limits

The supplied ATT&CK object is sparse: it identifies RuMMS as an Android malware family and provides relationships to four mobile techniques, but it does not provide official detection logic, tactics, aliases, labels, or object-level platforms. The FireEye external reference title indicates reporting about SMS phishing in Russia, but this take does not assert current activity, attribution, or customer exposure.

Assessment confidence is constrained by absent ATT&CK detection guidance and limited object metadata. Local decisions require organization-specific evidence about Android device ownership models, MDM/UEM coverage, app permission visibility, mobile network logging, and whether SMS-capable devices are used for business workflows.

Official MITRE ATT&CK definition

RuMMS

RuMMS is an Android malware family. [1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

4 rows
Domain ID Name Relationship / procedure
Mobile T1636.004 SMS Messages Sub-technique

RuMMS uploads incoming SMS messages to a remote command and control server.CitationFireEye-RuMMS
Mobile T1422 System Network Configuration Discovery

RuMMS gathers the device phone number and IMEI and transmits them to a command and control server.CitationFireEye-RuMMS
Mobile T1437.001 Web Protocols Sub-technique

RuMMS uses HTTP for command and control.CitationFireEye-RuMMS
Mobile T1426 System Information Discovery

RuMMS gathers device model and operating system version information and transmits it to a command and control server.CitationFireEye-RuMMS
Relationship explorer

All related ATT&CK context

uses · Technique T1636.004: SMS Messages Mobile uses · Technique T1422: System Network Configuration Discovery Mobile uses · Technique T1437.001: Web Protocols Mobile uses · Technique T1426: System Information Discovery Mobile
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
75af7553523798c8...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 75af75535237…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    FireEye-RuMMS

    Wu Zhou, Deyu Hu, Jimmy Su, Yong Kang. (2016, April 26). RUMMS: THE LATEST FAMILY OF ANDROID MALWARE ATTACKING USERS IN RUSSIA VIA SMS PHISHING. Retrieved February 6, 2017.

    Open source URL
  2. [2]
    RuMMS

    (Citation: FireEye-RuMMS)

  3. [3]
    mitre-attack S0313
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use