S1093: FlyTrap
Analyst context for executives and security teams
FlyTrap matters because it shows how mobile malware can turn a consumer-style social engineering lure into account compromise risk. In the supplied ATT&CK record, FlyTrap is an Android trojan associated with compromising Facebook accounts, initially detected in infected Google Play apps, with behaviors including collecting stored application data, capturing GUI input, discovering network connectivity, tracking location, using web protocols for command and control, and exfiltrating data over that channel. For organizations, the decision issue is not only “is this malware present,” but whether mobile devices that access business communications, identity recovery channels, social media administration, or executive accounts are governed, monitored, and recoverable enough to contain account tak
Executive priority
Prioritize FlyTrap as a mobile account-compromise and data-exposure scenario for Android environments. Leaders should ask whether corporate or bring-your-own Android devices have enforceable app-source controls, mobile threat visibility, permission governance, and incident response playbooks for compromised personal or social accounts that may intersect with business operations. This is especially relevant where employees administer brand social media, use mobile devices for identity workflows, or carry sensitive location and application data. The ATT&CK object does not provide a specific detection method, so coverage should be proven with local telemetry and control evidence rather than assumed.
Technical view
SOC, detection, and IR teams should validate Android-focused visibility around the related ATT&CK behaviors: access to stored application data, suspicious credential or sensitive-input prompts through GUI mimicry, network and Internet connectivity checks, location permission use, HTTP/HTTPS communications to remote infrastructure, and data exfiltration over the same command-and-control channel. Because no official detection text is supplied, detections should be built from observable combinations: risky app installation history, excessive or suspicious permissions, anomalous web traffic, unexpected location access, and evidence of account compromise involving Facebook or similar mobile-accessed applications. Relationship context supports focusing on T1409, T1417.002, T1422, T1422.001, T1430, T1437.001, and T1646.
Likely telemetry
- Android mobile device management or enterprise mobility management inventory and compliance state
- Installed application inventory, source, package metadata, and app reputation where available
- Android permission grants, especially location access and access patterns relevant to sensitive application data
- Mobile threat defense or endpoint security alerts for trojanized or suspicious applications
- Network telemetry for Android device HTTP/HTTPS communications, including destination, frequency, and volume where privacy and architecture allow
Detection direction
- Do not rely on a single malware name match; validate behavior-based coverage for the related techniques because the ATT&CK object provides no official detection guidance.
- Tune for clusters of mobile risk signals: newly installed or untrusted Android apps plus suspicious permissions, credential-like GUI prompts, web-protocol communications, and possible exfiltration volume or timing anomalies.
- Review blind spots in BYOD, unmanaged Android devices, encrypted HTTPS visibility, privacy-limited mobile telemetry, and accounts outside corporate identity control.
- Correlate mobile alerts with account takeover indicators, especially where users manage business social media or use mobile devices in identity recovery workflows.
- Account for false positives from legitimate apps that use location, web protocols, and network checks; prioritize suspicious app provenance, permission overreach, and account-security events.
Mitigation priorities
- Establish or validate Android app governance: approved app sources, managed app catalogs where applicable, and controls against untrusted or unnecessary applications.
- Enforce mobile device management or equivalent policy for business-accessing Android devices, including inventory, compliance checks, and removal/quarantine workflows.
- Apply least-privilege permission practices for mobile apps, especially location access and access to sensitive application data where controls permit.
- Prepare incident response procedures for mobile malware and social account compromise, including device isolation, app removal, credential/session reset, and review of affected account activity.
- Ensure business-critical social media and identity-adjacent accounts use strong authentication, recovery governance, and administrative separation to reduce the impact of mobile credential capture.
Analyst notes and limits
The supplied ATT&CK record identifies FlyTrap as Android malware and provides relationship context to several mobile techniques, but it does not specify ATT&CK tactics or official detection logic. The Trend Micro reference is the only non-MITRE source supplied in the object. Glexia’s interpretation therefore focuses on defensive validation areas supported by the official description and relationships rather than asserting current prevalence, attribution, or guaranteed detection.
This take is limited to the supplied STIX fields, external references, and relationships. It does not establish current activity, customer exposure, specific indicators of compromise, affected app names, infrastructure, or validated detection analytics. Local environment evidence is required to determine whether Android devices, social accounts, mobile telemetry, and response processes are actually exposed or covered.
FlyTrap
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1437.001 | Web Protocols Sub-technique | FlyTrap can use HTTP to communicate with the C2 server.CitationZimperium FlyTrap |
| Mobile | T1422.001 | Internet Connection Discovery Sub-technique | FlyTrap can collect IP address and network configuration information.CitationTrend Micro FlyTrap |
| Mobile | T1409 | Stored Application Data | FlyTrap can collect Facebook account information, such as Facebook ID, email address, cookies, and login tokens.CitationTrend Micro FlyTrapCitationZimperium FlyTrap |
| Mobile | T1430 | Location Tracking | FlyTrap can collect device geolocation data.CitationTrend Micro FlyTrap |
| Mobile | T1646 | Exfiltration Over C2 Channel | FlyTrap can use HTTP to exfiltrate data to the C2 server.CitationZimperium FlyTrap |
| Mobile | T1417.002 | GUI Input Capture Sub-technique | FlyTrap has used infected applications with Facebook login prompts to steal credentials.CitationTrend Micro FlyTrap |
| Mobile | T1422 | System Network Configuration Discovery | FlyTrap can collect IP address and network configuration information.CitationTrend Micro FlyTrap |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | e0c239c6ee54… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Trend Micro FlyTrap
Trend Micro. (2021, August 17). FlyTrap Android Malware Is Taking Over Facebook Accounts — Protect Yourself With a Malware Scanner. Retrieved September 28, 2023.
Open source URL -
[2]
mitre-attack S1093Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.