S0540: Asacub
Analyst context for executives and security teams
Asacub matters because it represents Android banking malware focused on financial theft through SMS-initiated wire transfers from compromised devices. For leaders, the practical issue is not only malware removal; it is whether mobile devices that access banking, finance workflows, or sensitive communications are governed, monitored, and recoverable enough to support fraud response and evidence collection.
Executive priority
Prioritize this as a mobile fraud and resilience scenario for Android environments. Security leaders should ask whether corporate or bring-your-own Android devices can request risky SMS permissions, become device administrators, access contacts or SMS content, and communicate over normal web protocols without visibility. The business decision value is in validating mobile device management, financial transaction controls, SOC intake for mobile telemetry, and incident response playbooks for suspected mobile banking trojans.
Technical view
ATT&CK provides no official detection text and no tactics for this object, so coverage should be validated through the related behaviors. Asacub is associated with Android techniques for obfuscation, system and network discovery, internet connectivity checks, web-protocol communications, archiving collected data, native API use, SMS control, device administrator permissions, contact and SMS message collection, and masquerading as legitimate names or locations. SOC and IR teams should test whether they can identify suspicious Android apps requesting or using SMS, contacts, network, and device administrator capabilities, especially when paired with unusual outbound HTTP/HTTPS activity or attempts to hide as trusted applications.
Likely telemetry
- Android application inventory, package names, app labels, icons, install source, and version metadata
- Android permission requests and grants, especially SEND_SMS, RECEIVE_SMS, contacts access, SMS content access, and device administrator status
- SMS send/receive records or mobile security events indicating unauthorized SMS behavior where legally and operationally available
- Mobile device management or enterprise mobility management compliance events for app installation, risky permissions, device admin activation, and policy violations
- Network telemetry from Android devices, including outbound HTTP/HTTPS destinations, timing, volume, and connectivity checks
Detection direction
- Do not assume conventional endpoint detections cover this object; ATT&CK supplies no official detection guidance for Asacub.
- Validate detection logic around combinations of risky mobile behaviors rather than a single indicator: SMS control plus banking context, device administrator activation, contacts/SMS access, masquerading, and web-protocol communications.
- Tune for false positives from legitimate messaging, banking, security, or device-management applications that may require SMS, contacts, network, or administrator permissions.
- Check blind spots in BYOD, unmanaged Android devices, encrypted web traffic, limited SMS visibility, and environments where mobile telemetry is not forwarded to the SOC.
- Use the related techniques as test cases for detection engineering: T1582, T1626.001, T1636.003, T1636.004, T1437.001, T1406, T1532, T1422, T1422.001, T1426, T1575, and T1655.001.
Mitigation priorities
- Establish or validate Android mobile device governance for devices used in banking, finance, executive communications, or privileged business workflows.
- Restrict or review applications with SMS, contacts, SMS content provider access, and device administrator permissions, with exceptions documented for legitimate business apps.
- Use mobile device management or equivalent controls to enforce app inventory, risky-permission review, and response actions for suspicious Android applications.
- Ensure financial fraud response procedures include mobile compromise triage, SMS-based transaction review, device isolation, credential reset decisions, and evidence preservation.
- Reduce exposure from masquerading by validating trusted app sources, package metadata, and user awareness around apps that imitate legitimate names or icons.
Analyst notes and limits
The relationship context is the main source of defensive direction because the official Asacub detection field is not provided. The strongest supported business framing is mobile banking fraud risk through Android SMS behavior, supported by the official description and the SMS Control relationship. Other telemetry and controls should be treated as validation priorities derived from the listed ATT&CK technique relationships, not as confirmed observations in every Asacub incident.
This take is limited to the supplied ATT&CK object fields, external references, and relationships. ATT&CK does not specify tactics, aliases, official detections, active exploitation status, victim scope, or guaranteed indicators here. Local device ownership model, mobile logging capability, privacy rules, banking processes, and MDM coverage are required to determine actual risk and detection coverage.
Asacub
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1406 | Obfuscated Files or Information | Asacub has stored encrypted strings in the APK file.CitationSecurelist Asacub |
| Mobile | T1426 | System Information Discovery | Asacub can collect various pieces of device information, including device model and OS version.CitationSecurelist Asacub |
| Mobile | T1575 | Native API | Asacub has implemented functions in native code.CitationSecurelist Asacub |
| Mobile | T1422 | System Network Configuration Discovery | Asacub can collect various pieces of device network configuration information, such as mobile network operator.CitationSecurelist Asacub |
| Mobile | T1422.001 | Internet Connection Discovery Sub-technique | Asacub can collect various pieces of device network configuration information, such as mobile network operator.CitationSecurelist Asacub |
| Mobile | T1437.001 | Web Protocols Sub-technique | Asacub has communicated with the C2 using HTTP POST requests.CitationSecurelist Asacub |
| Mobile | T1636.003 | Contact List Sub-technique | Asacub can collect the device’s contact list.CitationSecurelist Asacub |
| Mobile | T1582 | SMS Control | Asacub can send SMS messages from compromised devices.CitationSecurelist Asacub |
| Mobile | T1655.001 | Match Legitimate Name or Location Sub-technique | Asacub has masqueraded as a client of popular free ads services.CitationSecurelist Asacub |
| Mobile | T1532 | Archive Collected Data | Asacub has encrypted C2 communications using Base64-encoded RC4.CitationSecurelist Asacub |
| Mobile | T1636.004 | SMS Messages Sub-technique | Asacub can collect SMS messages as they are received.CitationSecurelist Asacub |
| Mobile | T1626.001 | Device Administrator Permissions Sub-technique | Asacub can request device administrator permissions.CitationSecurelist Asacub |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | dc3333ba1528… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Securelist Asacub
T. Shishkova. (2018, August 28). The rise of mobile banker Asacub. Retrieved December 14, 2020.
Open source URL -
[2]
Trojan-SMS.AndroidOS.Smaps
(Citation: Securelist Asacub)
-
[3]
mitre-attack S0540Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.