T1481.002: Bidirectional Communication
Adversaries may use an existing, legitimate external Web service channel as a means for sending commands to and receiving output from a compromised system. Compromised systems may leverage popular websites and social media to host command and control (C2) instructions. Those infected systems can then send the output from those commands back over that Web service channel. The return traffic may occur in a variety of ways, depending on the Web service being utilized. For example, the return traffic may take the form of the compromised system posting a comment on a forum, issuing a pull request to development project, updating a document hosted on a Web service, or by sending a Tweet.
Popular websites and social media, acting as a mechanism for C2, may give a significant amount of cover. This is due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Analyst context for executives and security teams
Bidirectional Communication is a mobile command-and-control behavior where compromised Android or iOS devices use legitimate web services, popular websites, or social media channels to receive instructions and send results back. The business issue is that this traffic can blend into normal mobile app and web activity, often over SSL/TLS, making simple blocklists or perimeter-only monitoring weak evidence of control.
Executive priority
Treat this as a mobile visibility and policy-control problem, not only a malware problem. Leaders should ask whether corporate mobile devices, BYOD access paths, and mobile-enabled business processes have enough network, application, and device telemetry to distinguish approved use of common web services from suspicious automated exchange. This matters for incident decision-making, compliance evidence around monitored endpoints, and resilience where mobile devices access sensitive communications, identity systems, or business data.
Technical view
For SOC, detection engineering, and IR teams, validate coverage for Android and iOS devices communicating with legitimate external web services in patterns consistent with command retrieval and result submission. ATT&CK provides no official detection text for this object, but the relationship to DET0700 indicates a detection strategy exists for Bidirectional Communication. Use the parent Web Service context: focus on web-service-mediated data relay, especially where traffic to common providers is expected and encrypted. Relationship context shows Android malware/software examples using this behavior, so Android telemetry should be explicitly validated; iOS remains in scope because the technique lists iOS as a platform.
Likely telemetry
- Mobile device network connection metadata, including destination domains, URLs where available, timing, volume, and user/app association
- Mobile endpoint or MDM/UEM application inventory and app installation source data
- Mobile security telemetry showing app behavior, permissions, background activity, and external service access
- Proxy, secure web gateway, DNS, and firewall logs for mobile-originated traffic
- Identity and cloud access logs that show mobile device, user, and application context
Detection direction
- Confirm whether monitoring can associate web-service traffic with a specific mobile device, user, and application; without that linkage, common services create a major blind spot.
- Baseline legitimate mobile use of popular websites, social media, and hosted document/development services before alerting on anomalies, because the technique relies on expected noise.
- Tune for repeated automated check-ins, unusual posting or update behavior, abnormal background traffic, or web-service access by untrusted or newly installed apps rather than treating all traffic to popular services as suspicious.
- Account for SSL/TLS encryption: teams may need metadata, device posture, app reputation, DNS/proxy context, and mobile EDR/MDM signals instead of relying on payload inspection.
- Use relationship-driven context from known Android software examples as threat-intelligence enrichment, but do not assume those software families are present without local evidence.
Mitigation priorities
- Prioritize mobile asset and app governance: know which Android and iOS devices access business resources and which apps are allowed to communicate with external services.
- Enforce mobile device management or equivalent controls for enterprise devices, including app installation policy, device posture requirements, and response actions for suspicious or unmanaged devices.
- Restrict or monitor high-risk mobile access to sensitive business, identity, and cloud services when device health or app trust cannot be established.
- Improve logging paths for mobile traffic through DNS, proxy, secure web gateway, cloud access, and identity systems so investigators can reconstruct web-service-mediated communication.
- Prepare IR playbooks for mobile compromise that include device isolation, app triage, user/account review, and preservation of relevant network and mobile-management evidence.
Analyst notes and limits
The supplied object is a mobile ATT&CK sub-technique under Web Service. Its practical defensive value is in validating whether legitimate external web services can be monitored well enough when they are abused as two-way C2 channels. The listed software relationships are Android-focused, while the technique platform field includes both Android and iOS.
MITRE provided no official detection text and no tactic value in the supplied fields. This take does not assert current exploitation, customer exposure, attribution, or confirmed detection coverage. Local mobile architecture, BYOD policy, encrypted traffic handling, and available telemetry determine actual risk and coverage.
Bidirectional Communication
Adversaries may use an existing, legitimate external Web service channel as a means for sending commands to and receiving output from a compromised system. Compromised systems may leverage popular websites and social media to host command and control (C2) instructions. Those infected systems can then send the output from those commands back over that Web service channel. The return traffic may occur in a variety of ways, depending on the Web service being utilized. For example, the return traffic may take the form of the compromised system posting a comment on a forum, issuing a pull request to development project, updating a document hosted on a Web service, or by sending a Tweet.
Popular websites and social media, acting as a mechanism for C2, may give a significant amount of cover. This is due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Related techniques
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1481 | Web Service | This object subtechnique of Web Service. |
Groups, software, and campaigns
S0655: BusyGasper
BusyGasper is Android spyware that has been in use since May 2016. There have been less than 10 victims, all who appear to be located in Russia, that were all infected via physical access to the device.[1]
S0485: Mandrake
Mandrake is a sophisticated Android espionage platform that has been active in the wild since at least 2016. Mandrake is very actively maintained, with sophisticated features and attacks that are executed with surgical precision.
Mandrake has gone undetected for several years by providing legitimate, ad-free applications with social media and real reviews to back the apps. The malware is only activated when the operators issue a specific command.[1]
S0545: TERRACOTTA
TERRACOTTA is an ad fraud botnet that has been capable of generating over 2 billion fraudulent requests per week.[1]
S9006: VajraSpy
VajraSpy is Android malware distributed via trojanized messaging and news applications. It has been used to target individuals in Pakistan and India since at least 2021 and has been delivered through the Google Play Store, malicious domains, and other uncontrolled distribution channels. VajraSpy is attributed with high confidence to Patchwork which has used the malware to conduct targeted espionage, primarily against devices in Pakistan.[1][2][3]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | c2a6653e7fc9… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack T1481.002Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.