T1639.001: Exfiltration Over Unencrypted Non-C2 Protocol
Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.
Adversaries may opt to obfuscate this data, without the use of encryption, within network protocols that are natively unencrypted (such as HTTP, FTP, or DNS). Adversaries may employ custom or publicly available encoding/compression algorithms (such as base64) or embed data within protocol headers and fields.
Analyst context for executives and security teams
This mobile ATT&CK sub-technique matters because it describes data theft from Android or iOS devices using ordinary unencrypted protocols such as HTTP, FTP, or DNS, separate from the attacker’s main command-and-control path. For executives and security leaders, the practical issue is whether mobile device data can leave the organization in traffic that looks routine, low-risk, or poorly inspected. Because ATT&CK provides no official detection text for this object, organizations should treat coverage as something to validate, not assume.
Executive priority
Prioritize this as a mobile data-loss and monitoring-readiness question: do managed devices, mobile apps, networks, and SOC workflows provide enough evidence to identify suspicious unencrypted outbound transfers? This is especially relevant where mobile devices handle regulated data, executive communications, field operations, or sensitive business workflows. Leaders should ask whether mobile security, network monitoring, acceptable-use controls, and incident response processes can prove visibility into HTTP, FTP, DNS, and similar non-C2 egress paths from Android and iOS devices.
Technical view
For SOC, detection engineering, and IR teams, validate monitoring for Android and iOS outbound traffic using unencrypted non-C2 protocols and alternate destinations. The parent technique is Exfiltration Over Alternative Protocol, and the supplied relationship context includes a detection strategy, DET0701, plus Android malware examples that use this behavior. Since ATT&CK does not provide official detection guidance here, local detection should focus on abnormal mobile egress patterns, protocol misuse, suspicious destinations, unexpected data volume, and encoded or compressed content such as base64 in headers, fields, or request bodies. Investigations should distinguish legitimate app communications from unusual transfers to alternate network locations.
Likely telemetry
- Mobile device network connection logs from Android and iOS management or security tooling
- Proxy, secure web gateway, firewall, DNS, and network flow records for mobile device traffic
- HTTP request metadata, headers, URI patterns, user agents, and response/request sizes where legally and operationally available
- FTP and other cleartext protocol logs if permitted in the environment
- DNS query logs, query length, frequency, entropy, and destination domain context
Detection direction
- Confirm whether DET0701 or equivalent logic is implemented and tested against mobile traffic, not only traditional endpoints.
- Baseline normal mobile app egress by protocol, destination, volume, and frequency; alert on deviations rather than protocol use alone.
- Look for data embedded in cleartext protocol fields, headers, query strings, DNS labels, or encoded/compressed blobs, while tuning for legitimate analytics, telemetry, and content delivery traffic.
- Correlate suspicious unencrypted egress with app installation source, app permissions, recent app updates, and known unwanted or unmanaged applications.
- Validate visibility gaps for off-network devices, personal networks, carrier networks, VPN split tunneling, encrypted DNS, and unmanaged mobile devices.
Mitigation priorities
- Reduce unnecessary cleartext outbound protocols from managed mobile devices and mobile app environments where business processes allow.
- Enforce mobile device management and mobile application governance for app source, permissions, and approved application use.
- Route managed mobile traffic through monitored network paths where appropriate, while accounting for privacy, legal, and operational constraints.
- Use DNS, web, proxy, and firewall policy to restrict suspicious destinations and unsupported protocols from mobile devices.
- Maintain incident response playbooks for suspected mobile data exfiltration, including device isolation, app review, log preservation, and user impact assessment.
Analyst notes and limits
This object is a mobile sub-technique for Android and iOS. ATT&CK lists it as a sub-technique of T1639, Exfiltration Over Alternative Protocol, and provides examples of related Android software using it. The business value is in validating whether mobile exfiltration over ordinary unencrypted protocols would be visible, triaged, and contained in the organization’s environment.
The supplied ATT&CK object has no official detection text and no specified tactics. Relationship context identifies a detection strategy, DET0701, but its detailed analytic content was not supplied here. Conclusions about actual exposure, active exploitation, attribution, or detection coverage require local telemetry, mobile fleet scope, app inventory, and network architecture evidence.
Exfiltration Over Unencrypted Non-C2 Protocol
Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.
Adversaries may opt to obfuscate this data, without the use of encryption, within network protocols that are natively unencrypted (such as HTTP, FTP, or DNS). Adversaries may employ custom or publicly available encoding/compression algorithms (such as base64) or embed data within protocol headers and fields.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Related techniques
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1639 | Exfiltration Over Alternative Protocol | This object subtechnique of Exfiltration Over Alternative Protocol. |
Groups, software, and campaigns
S0655: BusyGasper
BusyGasper is Android spyware that has been in use since May 2016. There have been less than 10 victims, all who appear to be located in Russia, that were all infected via physical access to the device.[1]
S9006: VajraSpy
VajraSpy is Android malware distributed via trojanized messaging and news applications. It has been used to target individuals in Pakistan and India since at least 2021 and has been delivered through the Google Play Store, malicious domains, and other uncontrolled distribution channels. VajraSpy is attributed with high confidence to Patchwork which has used the malware to conduct targeted espionage, primarily against devices in Pakistan.[1][2][3]
S0425: Corona Updates
Corona Updates is Android spyware that took advantage of the Coronavirus pandemic. The campaign distributing this spyware is tracked as Project Spy. Multiple variants of this spyware have been discovered to have been hosted on the Google Play Store.[1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 5e5eed32eedb… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
NIST Mobile Threat Catalogue APP-30Open source URL
-
[2]
mitre-attack T1639.001Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.