Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T1422.001: Internet Connection Discovery

Adversaries may check for Internet connectivity on compromised systems. This may be performed during automated discovery and can be accomplished in numerous ways such as using `adb shell netstat` for Android.[1]

Adversaries may use the results and responses from these requests to determine if the mobile devices are capable of communicating with adversary-owned C2 servers before attempting to connect to them. The results may also be used to identify routes, redirectors, and proxy servers.

MobileT1422.001Sub-techniqueObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

Internet Connection Discovery is a mobile behavior where malware or an unauthorized actor checks whether an Android or iOS device can reach the Internet before attempting command-and-control communication or mapping routes, proxies, and redirectors. For leaders, its value is as an early warning and readiness test: if mobile devices are part of workforce access, banking, field operations, or executive communications, defenders need enough mobile and network visibility to distinguish normal connectivity checks from suspicious pre-C2 discovery.

Executive priority

Prioritize this as a mobile security visibility and resilience question rather than a standalone high-impact event. The business decision is whether managed detection, mobile device management, network monitoring, and incident response playbooks can observe suspicious connectivity discovery before follow-on communication or data theft. It also supports audit and compliance evidence around encrypted application traffic, mobile monitoring coverage, and controls for high-risk users and unmanaged devices.

Technical view

This is ATT&CK Mobile sub-technique T1422.001 under System Network Configuration Discovery, applicable to Android and iOS. MITRE notes that adversaries may check Internet connectivity using methods such as Android adb shell netstat, and may use results to decide whether to contact adversary-owned C2 infrastructure or identify routes, redirectors, and proxy servers. Official detection text is not provided, but relationship context includes DET0708, Detection of Internet Connection Discovery. SOC and IR teams should validate whether mobile telemetry can show unusual connectivity probes, network-state inspection, command execution such as ADB-related netstat activity on Android where available, and subsequent outbound connection attempts.

Likely telemetry

  • Mobile threat defense or mobile EDR events for network-state checks and suspicious app behavior
  • Android command or debugging telemetry where ADB activity is enabled or observable
  • Device network connection metadata, including destination IPs, ports, timing, and repeated connectivity tests
  • DNS, proxy, VPN, secure web gateway, and firewall logs associated with mobile device traffic
  • MDM/UEM inventory showing device ownership, platform, installed apps, compliance state, and network configuration

Detection direction

  • Validate DET0708-style coverage against mobile connectivity discovery, especially events that precede outbound C2-like communication attempts.
  • Correlate connectivity checks with suspicious or newly installed apps, abnormal permissions, ADB/debugging exposure on Android, or traffic to unusual external infrastructure.
  • Tune for context: many legitimate apps check network availability, so detections should combine frequency, process/app identity, destination behavior, device risk, and follow-on connections rather than alerting on connectivity checks alone.
  • Account for platform blind spots: iOS and personally owned or unmanaged devices may provide limited process-level telemetry, making network, MDM, and mobile threat defense signals more important.
  • Use relationship context for hunt prioritization: this behavior is associated in ATT&CK with multiple Android malware families and at least one iOS-related software entry, so high-risk mobile populations merit focused validation.

Mitigation priorities

  • Start by ensuring managed mobile devices have MDM/UEM enrollment, device compliance checks, and approved app governance sufficient to support investigation.
  • Apply M1009 guidance: require application network traffic to use TLS, and use iOS App Transport Security where applicable to help protect sensitive application communications.
  • Reduce unnecessary Android debugging or ADB exposure on production devices and treat observed ADB command activity as investigation-worthy in managed environments.
  • Strengthen mobile network monitoring through VPN, proxy, DNS, firewall, or mobile threat defense controls where privacy and operating model allow.
  • Prepare IR playbooks for suspected mobile malware that include device isolation, app inventory review, network timeline reconstruction, and evidence preservation constraints for Android and iOS.
Analyst notes and limits

The strongest decision value is coverage validation: can the organization see mobile discovery behavior and connect it to suspicious apps or outbound communication? The relationship list shows this technique is used by numerous ATT&CK software entries, including Pegasus for Android, RedDrop, Exodus, Monokle, Corona Updates, TrickMo, INSOMNIA, EventBot, ViperRAT, FakeSpy, Exobot, CarbonSteal, Asacub, TERRACOTTA, TianySpy, AbstractEmu, Hornbill, BOULDSPY, and FlyTrap. That supports prioritizing mobile telemetry for users or workflows where compromised phones could affect identity, financial access, executive communications, or field operations.

ATT&CK provides no official detection text and no tactic for this object. The supplied relationship to DET0708 names a detection strategy but does not include implementation detail. Telemetry availability varies significantly between Android, iOS, managed, unmanaged, corporate-owned, and BYOD devices. Local baselines are required because benign applications commonly check Internet connectivity.

Official MITRE ATT&CK definition

Internet Connection Discovery

Adversaries may check for Internet connectivity on compromised systems. This may be performed during automated discovery and can be accomplished in numerous ways such as using `adb shell netstat` for Android.[1]

Adversaries may use the results and responses from these requests to determine if the mobile devices are capable of communicating with adversary-owned C2 servers before attempting to connect to them. The results may also be used to identify routes, redirectors, and proxy servers.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Mobile T1422 System Network Configuration Discovery This object subtechnique of System Network Configuration Discovery.
Associated objects

Groups, software, and campaigns

Malware Mobile

S0427: TrickMo

TrickMo a 2FA bypass mobile banking trojan, most likely being distributed by TrickBot. TrickMo has been primarily targeting users located in Germany.[1]

TrickMo is designed to steal transaction authorization numbers (TANs), which are typically used as one-time passwords.[1]

Android
Malware Mobile

S1061: AbstractEmu

AbstractEmu is mobile malware that was first seen in Google Play and other third-party stores in October 2021. It was discovered in 19 Android applications, of which at least 7 abused known Android exploits for obtaining root permissions. AbstractEmu was observed primarily impacting users in the United States, however victims are believed to be across a total of 17 countries.[1]

Android
Malware Mobile

S0407: Monokle

Monokle is targeted, sophisticated mobile surveillanceware. It is developed for Android, but there are some code artifacts that suggests an iOS version may be in development.[1]

Android
Malware Mobile

S0509: FakeSpy

FakeSpy is Android spyware that has been operated by the Chinese threat actor behind the Roaming Mantis campaigns.[1]

Android
Malware Mobile

S0405: Exodus

Exodus is Android spyware deployed in two distinct stages named Exodus One (dropper) and Exodus Two (payload).[1]

Android
Malware Mobile

S1056: TianySpy

TianySpy is a mobile malware primarily spread by SMS phishing between September 30 and October 12, 2021. TianySpy is believed to have targeted credentials associated with membership websites of major Japanese telecommunication services.[1]

AndroidiOS
Malware Mobile

S1093: FlyTrap

FlyTrap is an Android trojan, first detected in March 2021, that uses social engineering tactics to compromise Facebook accounts. FlyTrap was initially detected through infected apps on the Google Play store, and is believed to have impacted over 10,000 victims across at least 140 countries.[1]

Android
Malware Mobile

S0540: Asacub

Asacub is a banking trojan that attempts to steal money from victims’ bank accounts. It attempts to do this by initiating a wire transfer via SMS message from compromised devices.[1]

Android
Malware Mobile

S0522: Exobot

Exobot is Android banking malware, primarily targeting financial institutions in Germany, Austria, and France.[1]

Android
Relationship explorer

All related ATT&CK context

uses · Malware S0427: TrickMo Mobile uses · Malware S1061: AbstractEmu Mobile uses · Malware S0407: Monokle Mobile uses · Malware S0509: FakeSpy Mobile uses · Malware S0545: TERRACOTTA Mobile uses · Malware S0326: RedDrop Mobile detects · Detection Strategy DET0708: Detection of Internet Connection Discovery Mobile uses · Malware S0405: Exodus Mobile uses · Malware S1056: TianySpy Mobile uses · Malware S1093: FlyTrap Mobile uses · Malware S0463: INSOMNIA Mobile uses · Malware S0540: Asacub Mobile subtechnique of · Technique T1422: System Network Configuration Discovery Mobile uses · Malware S0522: Exobot Mobile uses · Malware S1077: Hornbill Mobile mitigates · Mitigation M1009: Encrypt Network Traffic Mobile uses · Malware S0425: Corona Updates Mobile uses · Malware S0316: Pegasus for Android Mobile uses · Malware S0506: ViperRAT Mobile uses · Malware S0478: EventBot Mobile uses · Malware S0529: CarbonSteal Mobile uses · Malware S1079: BOULDSPY Mobile
Mitigations

Mitigation direction

Mitigation Mobile

M1009: Encrypt Network Traffic

Application developers should encrypt all of their application network traffic using the Transport Layer Security (TLS) protocol to ensure protection of sensitive data and deter network-based attacks. If desired, application developers could perform message-based encryption of data before passing it for TLS encryption.

iOS's App Transport Security feature can be used to help ensure that all application network traffic is appropriately protected. Apple intends to mandate use of App Transport Security [1] for all apps in the Apple App Store unless appropriate justification is given.

Android's Network Security Configuration feature similarly can be used by app developers to help ensure that all of their application network traffic is appropriately protected [2].

Use of Virtual Private Network (VPN) tunnels, e.g. using the IPsec protocol, can help mitigate some types of network attacks as well.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
10524059214e6013...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 10524059214e…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    adb_commands

    Pulimet. (2017, September 11). AdbCommands. Retrieved December 14, 2023.

    Open source URL
  2. [2]
    mitre-attack T1422.001
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use