Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T1644: Out of Band Data

Adversaries may communicate with compromised devices using out of band data streams. This could be done for a variety of reasons, including evading network traffic monitoring, as a backup method of command and control, or for data exfiltration if the device is not connected to any Internet-providing networks (i.e. cellular or Wi-Fi). Several out of band data streams exist, such as SMS messages, NFC, and Bluetooth.

On Android, applications can read push notifications to capture content from SMS messages, or other out of band data streams. This requires that the user manually grant notification access to the application via the settings menu. However, the application could launch an Intent to take the user directly there.

On iOS, there is no way to programmatically read push notifications.

MobileT1644TechniqueObject v2.1 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

Out of Band Data matters because a compromised mobile device may communicate or leak data through channels that normal Internet monitoring may not see, such as SMS, NFC, or Bluetooth. For leaders, the key risk is not just malware on Android or iOS; it is the possibility that mobile command-and-control or exfiltration can bypass controls built mainly around Wi-Fi, cellular data, and perimeter network logs.

Executive priority

Treat this as a mobile visibility and governance issue. Ask whether high-risk users and business-critical mobile workflows have controls and evidence for risky permissions, SMS-related exposure, Bluetooth/NFC use, and user-granted notification access on Android. The ATT&CK relationships show this behavior across multiple mobile malware families, including Android and iOS examples, so it should inform mobile security requirements, incident response playbooks, and audit evidence for managed or bring-your-own mobile devices.

Technical view

SOC and IR teams should validate coverage separately for Android and iOS. On Android, ATT&CK notes that applications can read push notifications, including SMS content, if the user manually grants notification access; an app may also launch an Intent that takes the user directly to that settings area. On iOS, ATT&CK states there is no way to programmatically read push notifications, so detection expectations should not be copied directly from Android. Because no official ATT&CK detection text is provided, use the related DET0688 strategy as a pointer to build local analytics around mobile configuration, app behavior, and non-Internet communication evidence rather than relying only on network egress monitoring.

Likely telemetry

  • Mobile device inventory and platform context for Android and iOS devices
  • Installed application inventory and application reputation or provenance where available
  • Android notification access grant state and changes to sensitive user-granted settings
  • Evidence of apps launching or directing users into sensitive settings screens, where mobile telemetry supports it
  • SMS-related metadata or security events available through enterprise mobile tooling or carrier/MDM integrations

Detection direction

  • Do not assume enterprise network monitoring covers this technique; the behavior is specifically relevant when communication uses SMS, NFC, Bluetooth, or another out-of-band stream.
  • For Android, prioritize detection and review of unexpected notification access grants, especially for apps without a clear business need.
  • Tune investigations around user-driven permission changes, because the ATT&CK description requires manual user granting of notification access on Android; false positives may include legitimate accessibility, messaging, or productivity apps.
  • Separate Android and iOS logic: ATT&CK explicitly notes iOS cannot programmatically read push notifications, so Android notification-access detections should not be treated as iOS coverage.
  • Use related software context as threat-intelligence enrichment, not proof of local exposure: multiple Android malware entries and some iOS software are linked as using this technique.

Mitigation priorities

  • Start with M1011 User Guidance: train users not to grant notification access or similar sensitive permissions to untrusted or unnecessary apps.
  • Define acceptable mobile app sources and permission expectations for managed devices, with extra scrutiny for apps requesting notification access or access related to messaging and short-range communications.
  • For higher-risk users, review Android notification access settings and remove unnecessary grants as part of mobile hardening and incident readiness.
  • Where business operations allow, establish policy guidance for Bluetooth and NFC use on sensitive devices, recognizing that these are named out-of-band streams in the ATT&CK description.
  • Make mobile IR playbooks account for out-of-band communication so responders do not close investigations solely because standard network logs show little or no exfiltration path.
Analyst notes and limits

This technique is especially relevant to organizations whose mobile security program is centered on Internet traffic inspection but has limited device-level visibility. The relationship set includes many Android software examples and iOS examples such as Pegasus for iOS and TriangleDB, but those relationships should be used to prioritize defensive validation rather than to infer current targeting or compromise.

ATT&CK provides no official detection text and no tactics for this object in the supplied fields. Practical detection depends heavily on local mobile management, mobile threat defense, endpoint telemetry, carrier data availability, device ownership model, and privacy/legal constraints. The supplied mitigation relationship is limited to User Guidance, so additional controls should be validated against the organization’s own mobile platform capabilities.

Official MITRE ATT&CK definition

Out of Band Data

Adversaries may communicate with compromised devices using out of band data streams. This could be done for a variety of reasons, including evading network traffic monitoring, as a backup method of command and control, or for data exfiltration if the device is not connected to any Internet-providing networks (i.e. cellular or Wi-Fi). Several out of band data streams exist, such as SMS messages, NFC, and Bluetooth.

On Android, applications can read push notifications to capture content from SMS messages, or other out of band data streams. This requires that the user manually grant notification access to the application via the settings menu. However, the application could launch an Intent to take the user directly there.

On iOS, there is no way to programmatically read push notifications.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Mobile T1438 Exfiltration Over Other Network Medium Exfiltration Over Other Network Medium revoked by this object.
Associated objects

Groups, software, and campaigns

Malware Mobile

S0407: Monokle

Monokle is targeted, sophisticated mobile surveillanceware. It is developed for Android, but there are some code artifacts that suggests an iOS version may be in development.[1]

Android
Malware Mobile

S1055: SharkBot

SharkBot is a banking malware, first discovered in October 2021, that tries to initiate money transfers directly from compromised devices by abusing Accessibility Services.[1]

Android
Malware Mobile

S0411: Rotexy

Rotexy is an Android banking malware that has evolved over several years. It was originally an SMS spyware Trojan first spotted in October 2014, and since then has evolved to contain more features, including ransomware functionality.[1]

Android
Malware Mobile

S0328: Stealth Mango

Stealth Mango is Android malware that has reportedly been used to successfully compromise the mobile devices of government officials, members of the military, medical professionals, and civilians. The iOS malware known as Tangelo is believed to be from the same developer. [1]

Android
Malware Mobile

S0427: TrickMo

TrickMo a 2FA bypass mobile banking trojan, most likely being distributed by TrickBot. TrickMo has been primarily targeting users located in Germany.[1]

TrickMo is designed to steal transaction authorization numbers (TANs), which are typically used as one-time passwords.[1]

Android
Malware Mobile

S1195: SpyC23

SpyC23 is a mobile malware that has been used by APT-C-23 since at least 2017. SpyC23 has been observed primarily targeting Android devices in the Middle East.[1]

There are multiple close variants of SpyC23, such as VAMP[2], GnatSpy[3], Desert Scorpion and FrozenCell, which add some additional functionality but are not significantly different from the original malware.

Android
Relationship explorer

All related ATT&CK context

uses · Malware S0505: Desert Scorpion Mobile uses · Malware S0407: Monokle Mobile uses · Malware S1216: TriangleDB Mobile uses · Malware S1055: SharkBot Mobile detects · Detection Strategy DET0688: Detection of Out of Band Data Mobile uses · Malware S0411: Rotexy Mobile mitigates · Mitigation M1011: User Guidance Mobile uses · Malware S0289: Pegasus for iOS Mobile uses · Malware S0328: Stealth Mango Mobile uses · Malware S0427: TrickMo Mobile uses · Malware S0295: RCSAndroid Mobile uses · Malware S0324: SpyDealer Mobile uses · Malware S0406: Gustuff Mobile uses · Malware S1195: SpyC23 Mobile uses · Malware S1079: BOULDSPY Mobile uses · Malware S0327: Skygofree Mobile uses · Malware S0304: Android/Chuli.A Mobile revoked by · Technique T1438: Exfiltration Over Other Network Medium Mobile uses · Malware S0655: BusyGasper Mobile uses · Malware S0529: CarbonSteal Mobile uses · Malware S0316: Pegasus for Android Mobile
Mitigations

Mitigation direction

Mitigation Mobile

M1011: User Guidance

Describes any guidance or training given to users to set particular configuration settings or avoid specific potentially risky behaviors.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
2.1
Created
Modified
Raw hash
89e07a446e3d7c4b...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 2.1 Current bundle 89e07a446e3d…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack T1644
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use