Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T1544: Ingress Tool Transfer

Adversaries may transfer tools or other files from an external system onto a compromised device to facilitate follow-on actions. Files may be copied from an external adversary-controlled system through the command and control channel or through alternate protocols with another tool such as FTP.

MobileT1544TechniqueObject v2.2 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

Ingress Tool Transfer matters because a compromised mobile device may not be the end state; adversaries can bring in additional files, modules, validators, or implants to continue the operation. For leaders, this is a mobile resilience issue: Android and iOS devices used by executives, administrators, or regulated business functions may become staging points for follow-on activity if file transfer and mobile network visibility are weak.

Executive priority

Prioritize this technique where mobile devices have access to sensitive communications, identity workflows, financial apps, or executive data. ATT&CK links this behavior to multiple Android malware families and iOS-focused activity, including Operation Triangulation and TriangleDB, so risk owners should ask whether mobile monitoring, incident response collection, and egress visibility can show when a compromised device receives new tooling from C2 or alternate protocols such as FTP.

Technical view

For SOC, detection engineering, and IR teams, validate coverage around unexpected file delivery to Android and iOS devices after suspected compromise. ATT&CK does not provide native detection text for T1544, but relationship context includes DET0718, Detection of Ingress Tool Transfer. Practical validation should focus on whether mobile telemetry can correlate network sessions to external systems with file creation, package/module changes, or execution of newly delivered content. Android coverage is especially relevant given the number of related Android software entries; iOS coverage should be assessed separately because device-level telemetry is often more constrained.

Likely telemetry

  • Mobile device network metadata, including connections to external systems, C2-like infrastructure, and protocols such as FTP where visible
  • DNS, proxy, VPN, firewall, or secure web gateway logs for managed mobile traffic
  • Mobile threat defense, EDR, or MDM events showing downloaded files, new packages, changed app components, or suspicious modules
  • Android application/package inventory, install/update events, and file-system indicators where collection is available
  • iOS MDM, network, and forensic artifacts that can support investigation of externally delivered files or implants

Detection direction

  • Confirm whether DET0718 or equivalent analytics are implemented and mapped to Android and iOS mobile telemetry, rather than assuming desktop ingress-transfer logic applies to mobile.
  • Tune for sequences: suspected compromise or C2 communication followed by new file creation, module download, package change, or execution from unusual locations.
  • Account for false positives from legitimate app updates, enterprise content delivery, MDM actions, and user-initiated downloads; context from device ownership, app reputation, and destination reputation is important.
  • Review blind spots where mobile traffic bypasses corporate inspection, where BYOD devices lack MDM/MTD coverage, or where iOS telemetry cannot expose file-level activity without forensic collection.
  • Use relationship context for threat-informed testing: Android examples include RedDrop, Monokle, ViceLeaker, Mandrake, SharkBot, AbstractEmu, Sunbird, Chameleon, SpyC23, CherryBlos, GodFather, and DocSwap; iOS examples include Phenakite, TriangleDB, LightSpy, and Operation Triangulation.

Mitigation priorities

  • Start with mobile asset and enrollment coverage: identify which Android and iOS devices are managed, monitored, and eligible for incident response collection.
  • Reduce uncontrolled file delivery paths by enforcing approved app sources, mobile configuration baselines, and network controls appropriate to managed devices.
  • Improve egress visibility for mobile devices through managed VPN, DNS, proxy, or gateway logging where privacy and policy allow.
  • Harden response playbooks so suspected mobile compromise triggers containment, preservation, and review for additional tools or files delivered after initial access.
  • For high-risk users, validate mobile security posture alongside identity controls, since follow-on tooling on a device may affect communications, credentials, or sensitive application access.
Analyst notes and limits

ATT&CK defines T1544 as transfer of tools or other files from an external system onto a compromised Android or iOS device, either through the command-and-control channel or alternate protocols such as FTP. The relationship set shows this behavior across numerous mobile malware and campaign objects, which supports prioritizing it as a cross-platform mobile defense concern rather than a niche artifact.

The official ATT&CK object provides no tactic assignment and no detection text. This take therefore avoids claiming specific detection efficacy or active customer exposure. Local device management model, telemetry depth, mobile OS restrictions, and legal/privacy constraints will determine what can actually be detected or investigated.

Official MITRE ATT&CK definition

Ingress Tool Transfer

Adversaries may transfer tools or other files from an external system onto a compromised device to facilitate follow-on actions. Files may be copied from an external adversary-controlled system through the command and control channel or through alternate protocols with another tool such as FTP.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Associated objects

Groups, software, and campaigns

Malware Mobile

S1185: LightSpy

First observed in 2018, LightSpy is a modular malware family that initially targeted iOS devices in Southern Asia before expanding to Android and macOS platforms. It consists of a downloader, a main executable that manages network communications, and functionality-specific modules, typically implemented as `.dylib` files (iOS, macOS) or `.apk` files (Android). LightSpy can collect VoIP call recordings, SMS messages, and credential stores, which are then exfiltrated to a command and control (C2) server.[1]

AndroidWindowsiOS
Malware Mobile

S1083: Chameleon

Chameleon is an Android banking trojan that can leverage Android’s Accessibility Services to perform malicious activities. Believed to have been first active in January 2023, Chameleon has been observed targeting users in Australia and Poland by masquerading as official applications. A new variant of Chameleon has expanded its targets to include Android users in the United Kingdom and Italy.[1][2]

Android
Malware Mobile

S1195: SpyC23

SpyC23 is a mobile malware that has been used by APT-C-23 since at least 2017. SpyC23 has been observed primarily targeting Android devices in the Middle East.[1]

There are multiple close variants of SpyC23, such as VAMP[2], GnatSpy[3], Desert Scorpion and FrozenCell, which add some additional functionality but are not significantly different from the original malware.

Android
Malware Mobile

S0418: ViceLeaker

ViceLeaker is a spyware framework, capable of extensive surveillance and data exfiltration operations, primarily targeting devices belonging to Israeli citizens.[1][2]

Android
Malware Mobile

S1126: Phenakite

Phenakite is a mobile malware that is used by APT-C-23 to target iOS devices. According to several reports, Phenakite was developed to fill a tooling gap and to target those who owned iPhones instead of Windows desktops or Android phones.[1][2]

iOS
Malware Mobile

S1055: SharkBot

SharkBot is a banking malware, first discovered in October 2021, that tries to initiate money transfers directly from compromised devices by abusing Accessibility Services.[1]

Android
Malware Mobile

S9005: DocSwap

DocSwap is an Android malware first identified in 2025, and attributed to Kimsuky. DocSwap’s name is a combination of its Korean name “문서열람 인증 앱” (Document Viewing Authentication App) and a phishing page masquerading as CoinSwap at the C2 address. Based on DocSwap’s name and Korean-language strings, DocSwap potentially targets mobile device users in South Korea. Several variants of DocSwap exist; one of the latest samples indicates that the adversary added a native decryption function that decrypts an internal APK.[1][2]

Android
Malware Mobile

S1231: GodFather

GodFather is an Android banking malware that uses virtualization to mimic legitimate applications and abuses accessibility services and other permissions to evade detection and exfiltrate sensitive data. First identified in 2020, GodFather targets nearly 500 banking applications, cryptocurrency wallets, and exchanges worldwide; however, its virtualization-based attacks have primarily focused on several Turkish financial institutions. This capability enables threat actors to steal banking credentials and other sensitive account information. [1][2]

Android
Malware Mobile

S0407: Monokle

Monokle is targeted, sophisticated mobile surveillanceware. It is developed for Android, but there are some code artifacts that suggests an iOS version may be in development.[1]

Android
Relationship explorer

All related ATT&CK context

uses · Malware S1216: TriangleDB Mobile uses · Malware S1185: LightSpy Mobile uses · Campaign C0054: Operation Triangulation Mobile uses · Malware S1083: Chameleon Mobile uses · Campaign C0033: C0033 Mobile uses · Malware S1195: SpyC23 Mobile uses · Malware S0418: ViceLeaker Mobile detects · Detection Strategy DET0718: Detection of Ingress Tool Transfer Mobile uses · Malware S1126: Phenakite Mobile uses · Malware S1082: Sunbird Mobile uses · Malware S1055: SharkBot Mobile uses · Malware S0326: RedDrop Mobile uses · Malware S9005: DocSwap Mobile uses · Malware S1231: GodFather Mobile uses · Malware S0407: Monokle Mobile uses · Malware S1061: AbstractEmu Mobile uses · Malware S0485: Mandrake Mobile uses · Malware S1225: CherryBlos Mobile
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
2.2
Created
Modified
Raw hash
b0887e0db9feeafa...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 2.2 Current bundle b0887e0db9fe…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack T1544
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use