T1464: Network Denial of Service
Adversaries may perform Network Denial of Service (DoS) attacks to degrade or block the availability of targeted resources to users. Network DoS can be performed by exhausting the network bandwidth that services rely on, or by jamming the signal going to or coming from devices.
A Network DoS will occur when an adversary is able to jam radio signals (e.g. Wi-Fi, cellular, GPS) around a device to prevent it from communicating. For example, to jam cellular signal, an adversary may use a handheld signal jammer, which jam devices within the jammer’s operational range.[1]
Usage of cellular jamming has been documented in several arrests reported in the news.[2][3][4][5]
Analyst context for executives and security teams
Network Denial of Service in the mobile context is about making Android or iOS devices unable to communicate by exhausting network capacity or interfering with radio signals such as Wi-Fi, cellular, or GPS. For leaders, the material issue is not malware execution alone; it is loss of availability for mobile-dependent workflows, location services, communications, authentication, and field operations. ATT&CK also links this technique to S.O.V.A., an Android banking trojan, so defenders should consider both environmental signal disruption and malware-related mobile availability issues when validating coverage.
Executive priority
Prioritize this where mobile connectivity is operationally important: executive communications, field staff, incident response coordination, mobile banking or commerce workflows, location-dependent services, and cyber-physical environments that rely on cellular, Wi-Fi, or GPS. Leadership should ask whether the organization can distinguish carrier outage, local radio interference, Wi-Fi disruption, and compromised-device behavior quickly enough to make incident decisions and preserve business continuity. This technique also has compliance and audit relevance where mobile availability, incident escalation, or continuity controls must be evidenced rather than assumed.
Technical view
ATT&CK provides Android and iOS as platforms and describes network bandwidth exhaustion or radio-signal jamming affecting Wi-Fi, cellular, and GPS. No official detection text is provided, but the relationship to DET0639 indicates a detection strategy exists for Network Denial of Service. SOC and IR teams should validate whether they can correlate mobile device connectivity loss, carrier/Wi-Fi telemetry, GPS degradation reports, help desk incident clusters, and physical-location context. Because S.O.V.A. is related as Android software using this technique, Android mobile threat telemetry should also be reviewed for availability-impacting behavior in addition to environmental RF or network causes.
Likely telemetry
- Mobile device management or enterprise mobility status showing device connectivity, enrollment check-ins, and network transitions
- Android and iOS device health, network, and application telemetry where available
- Wi-Fi controller, access point, and LAN telemetry for association failures, disconnections, and localized service degradation
- Cellular service or carrier incident information where available to the organization
- GPS or location-service failure reports from affected mobile applications or devices
Detection direction
- Validate DET0639-relevant coverage against the organization’s actual mobile platforms and managed-device population rather than assuming endpoint or network tooling sees radio-layer disruption.
- Tune for clusters: many devices in the same location or time window losing Wi-Fi, cellular, or GPS service may indicate a different investigation path than one compromised Android device.
- Separate common false positives such as carrier outages, building coverage gaps, Wi-Fi misconfiguration, captive portal issues, device power state, and application outages before escalating as adversary activity.
- For Android environments, include mobile malware context because the supplied relationships identify S.O.V.A. as software using this technique; avoid extending that relationship to iOS without supporting evidence.
- Ensure incident triage can preserve location, time, affected radio type, affected service, and device population because these details often decide whether the event is network, device, application, carrier, or physical-layer related.
Mitigation priorities
- Define continuity plans for mobile-dependent processes, including alternate communications paths when cellular, Wi-Fi, or GPS is unavailable.
- Inventory business services that depend on Android or iOS connectivity and identify which ones require monitored availability and escalation paths.
- Baseline normal mobile connectivity by site and user group so localized disruption can be recognized faster.
- Coordinate SOC, network, mobile device management, physical security, and facilities response procedures for suspected signal interference or localized network denial conditions.
- For Android risk, maintain mobile security controls and incident response playbooks that account for malware-linked availability disruption, while validating conclusions against local telemetry.
Analyst notes and limits
This Glexia take is based on the ATT&CK T1464 object, its external references to NIST mobile threat catalogue entries and public reporting on cellular jamming, and the supplied relationships to DET0639 and S.O.V.A. The object has no specified ATT&CK tactic and no official detection text, so detection guidance is framed as validation direction rather than guaranteed coverage.
The supplied data does not provide detailed detection logic, mitigations, procedures, impact levels, or active exploitation claims. Local carrier visibility, Wi-Fi infrastructure logs, mobile management coverage, and physical-site context are required to assess exposure and detection maturity.
Network Denial of Service
Adversaries may perform Network Denial of Service (DoS) attacks to degrade or block the availability of targeted resources to users. Network DoS can be performed by exhausting the network bandwidth that services rely on, or by jamming the signal going to or coming from devices.
A Network DoS will occur when an adversary is able to jam radio signals (e.g. Wi-Fi, cellular, GPS) around a device to prevent it from communicating. For example, to jam cellular signal, an adversary may use a handheld signal jammer, which jam devices within the jammer’s operational range.[1]
Usage of cellular jamming has been documented in several arrests reported in the news.[2][3][4][5]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Groups, software, and campaigns
S1062: S.O.V.A.
S.O.V.A. is an Android banking trojan that was first identified in August 2021 and has subsequently been found in a variety of applications, including banking, cryptocurrency wallet/exchange, and shopping apps. S.O.V.A., which is Russian for "owl", contains features not commonly found in Android malware, such as session cookie theft.[1][2]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.4 | Current bundle | 7a6c6805720a… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
NIST-SP800187
Jeffrey Cichonski, Joshua M Franklin, Michael Bartock. (2017, December). Guide to LTE Security. Retrieved January 20, 2017.
Open source URL -
[2]
CNET-Celljammer
Chris Matyszczyk. (2014, May 1). FCC: Man used device to jam drivers' cell phone calls. Retrieved November 8, 2018.
Open source URL -
[3]
NYTimes-Celljam
Matt Richtel. (2007, November 4). Devices Enforce Silence of Cellphones, Illegally. Retrieved November 8, 2018.
Open source URL -
[4]
Digitaltrends-Celljam
Trevor Mogg. (2015, June 5). Florida teacher punished after signal-jamming his students’ cell phones. Retrieved November 8, 2018.
Open source URL -
[5]
Arstechnica-Celljam
David Kravets. (2016, March 10). Man accused of jamming passengers’ cell phones on Chicago subway. Retrieved November 8, 2018.
Open source URL -
[6]
NIST Mobile Threat Catalogue CEL-7Open source URL
-
[7]
NIST Mobile Threat Catalogue CEL-8Open source URL
-
[8]
NIST Mobile Threat Catalogue GPS-0Open source URL
-
[9]
NIST Mobile Threat Catalogue LPN-5Open source URL
-
[10]
mitre-attack T1464Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.