T1582: SMS Control
Adversaries may delete, alter, or send SMS messages without user authorization. This could be used to hide C2 SMS messages, spread malware, or various external effects.
This can be accomplished by requesting the `RECEIVE_SMS` or `SEND_SMS` permissions depending on what the malware is attempting to do. If the app is set as the default SMS handler on the device, the `SMS_DELIVER` broadcast intent can be registered, which allows the app to write to the SMS content provider. The content provider directly modifies the messaging database on the device, which could allow malicious applications with this ability to insert, modify, or delete arbitrary messages on the device.[1][2]
Analyst context for executives and security teams
SMS Control matters because a malicious Android app can send, alter, or delete text messages without the user’s authorization. That can undermine trust in SMS-based communications, hide SMS-based command messages, spread malware, or affect workflows that depend on SMS, including some banking and one-time-code scenarios reflected in related malware descriptions.
Executive priority
Treat this as a mobile risk and identity-readiness question: where does the organization still depend on SMS for authentication, approvals, customer contact, or operational coordination, and are Android devices in those workflows monitored well enough to identify risky SMS permissions or default SMS-handler changes? The ATT&CK relationships show this behavior across Android RATs, spyware, and banking malware, so it is useful for prioritizing mobile security controls, user guidance, and incident response playbooks involving compromised phones.
Technical view
For SOC, mobile security, and IR teams, validate Android coverage around apps requesting RECEIVE_SMS or SEND_SMS permissions, apps becoming the default SMS handler, registration for SMS_DELIVER, and access to the SMS content provider or messaging database. ATT&CK does not provide official detection text for T1582, but it does reference a related detection strategy, DET0599, and multiple Android software families that use the behavior. Detection logic should therefore be environment-specific and should combine app permission state, app reputation/inventory, SMS-handler role changes, and observed SMS activity rather than relying on a single permission as malicious.
Likely telemetry
- Android app permission inventory, especially RECEIVE_SMS and SEND_SMS
- Default SMS handler configuration and changes
- Installed application inventory from MDM/EMM or mobile security tooling
- Broadcast receiver or app manifest indicators related to SMS_DELIVER where available
- SMS send/delete/modify events or messaging database/content provider activity where visibility exists
Detection direction
- Confirm whether mobile telemetry can show which apps have SMS permissions and which app is the default SMS handler.
- Tune for suspicious combinations: non-messaging apps requesting SMS permissions, newly installed apps gaining SMS access, or unexpected default SMS-handler changes.
- Account for false positives from legitimate messaging, carrier, enterprise communication, or MFA-related apps that require SMS functionality.
- Use relationship context to enrich triage: Android RATs, spyware, and banking trojans are listed as using this behavior, so SMS control should raise priority when paired with other remote-access, surveillance, or banking-malware indicators.
- Document blind spots: ATT&CK provides no official detection procedure here, and many organizations have limited visibility into personal or unmanaged Android devices.
Mitigation priorities
- Start with M1011 User Guidance: educate users to avoid granting SMS permissions to apps that do not clearly need them and to be cautious when an app asks to become the default SMS handler.
- For managed Android fleets, review whether policy can restrict or alert on high-risk SMS permissions and default SMS-handler changes.
- Reduce business dependence on SMS where feasible for sensitive authentication or approval workflows, especially where compromised Android devices could affect identity assurance.
- Ensure mobile incident response playbooks include SMS abuse indicators, permission review, app removal, and assessment of any SMS-based business or authentication activity that may have been affected.
Analyst notes and limits
This take is based on ATT&CK T1582 SMS Control for Android, its official description, external references to Android SMS handling and SmsProvider behavior, the related DET0599 detection strategy, M1011 User Guidance mitigation, and listed software relationships including Android RATs, spyware, and banking malware. The strongest defensive value is validating whether the organization can observe and govern SMS-related app permissions and default handler status.
ATT&CK does not specify tactics for this object and provides no official detection text in the supplied fields. DET0599 is referenced only by name, without its detection details. Local mobile management, privacy constraints, device ownership model, and Android version behavior will determine what telemetry and controls are actually available.
SMS Control
Adversaries may delete, alter, or send SMS messages without user authorization. This could be used to hide C2 SMS messages, spread malware, or various external effects.
This can be accomplished by requesting the `RECEIVE_SMS` or `SEND_SMS` permissions depending on what the malware is attempting to do. If the app is set as the default SMS handler on the device, the `SMS_DELIVER` broadcast intent can be registered, which allows the app to write to the SMS content provider. The content provider directly modifies the messaging database on the device, which could allow malicious applications with this ability to insert, modify, or delete arbitrary messages on the device.[1][2]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Groups, software, and campaigns
S1054: Drinik
Drinik is an evolving Android banking trojan that was observed targeting customers of around 27 banks in India in August 2021. Initially seen as an SMS stealer in 2016, Drinik resurfaced as a banking trojan with more advanced capabilities included in subsequent versions between September 2021 and August 2022.[1]
S0425: Corona Updates
Corona Updates is Android spyware that took advantage of the Coronavirus pandemic. The campaign distributing this spyware is tracked as Project Spy. Multiple variants of this spyware have been discovered to have been hosted on the Google Play Store.[1]
S1067: FluBot
FluBot is a multi-purpose mobile banking malware that was first observed in Spain in late 2020. It primarily spread through European countries using a variety of SMS phishing messages in multiple languages.[1][2] An international law enforcement operation of 11 countries eventually disrupted the spread of FluBot.[3]
S9004: Crocodilus
Crocodilus is an Android banking Trojan that was discovered in March 2025. Crocodilus targeted users worldwide, including Turkey, Poland, Argentina, Brazil, Spain, the United States, Indonesia and India. Crocodilus has been customized based on the target location. For example, Crocodilus mimicked major Turkish and Spanish banks for users in Turkey and Spain, while users in Poland saw Facebook advertisements that promoted Crocodilus to claim bonus points.[1][2]
S0292: AndroRAT
AndroRAT is an open-source remote access tool for Android devices. AndroRAT is capable of collecting data, such as device location, call logs, etc., and is capable of executing actions, such as sending SMS messages and taking pictures.[1][2][3] It is originally available through the `The404Hacking` Github repository.[2]
S0536: GPlayed
S0549: SilkBean
S0539: Red Alert 2.0
Red Alert 2.0 is a banking trojan that masquerades as a VPN client.[1]
S0522: Exobot
S0328: Stealth Mango
Stealth Mango is Android malware that has reportedly been used to successfully compromise the mobile devices of government officials, members of the military, medical professionals, and civilians. The iOS malware known as Tangelo is believed to be from the same developer. [1]
S0422: Anubis
S1195: SpyC23
SpyC23 is a mobile malware that has been used by APT-C-23 since at least 2017. SpyC23 has been observed primarily targeting Android devices in the Middle East.[1]
There are multiple close variants of SpyC23, such as VAMP[2], GnatSpy[3], Desert Scorpion and FrozenCell, which add some additional functionality but are not significantly different from the original malware.
All related ATT&CK context
Mitigation direction
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 52dba4cc7072… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
SMS KitKat
S.Main, D. Braun. (2013, October 14). Getting Your SMS Apps Ready for KitKat. Retrieved September 11, 2020.
Open source URL -
[2]
Android SmsProvider
Google. (n.d.). SmsProvider.java. Retrieved September 11, 2020.
Open source URL -
[3]
NIST Mobile Threat Catalogue APP-16Open source URL
-
[4]
NIST Mobile Threat Catalogue CEL-41Open source URL
-
[5]
mitre-attack T1582Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.