T1646: Exfiltration Over C2 Channel
Adversaries may steal data by exfiltrating it over an existing command and control channel. Stolen data is encoded into the normal communications channel using the same protocol as command and control communications.
Analyst context for executives and security teams
Exfiltration Over C2 Channel matters because stolen mobile data can leave the device inside traffic that already looks like command-and-control communication. For leaders, the practical issue is not just malware presence; it is whether mobile security, network monitoring, and incident response can prove what data may have left Android or iOS devices when the exfiltration path is blended into an existing C2 channel.
Executive priority
Prioritize this where mobile devices handle sensitive business, customer, financial, or regulated data. The relationship set links this technique to multiple mobile malware and surveillanceware families, including Android banking trojans, spyware, and cross-platform surveillance tooling, which makes it relevant to mobile risk management, incident scoping, and compliance evidence. Executives should ask whether the organization can identify managed versus unmanaged mobile exposure, preserve mobile network and endpoint evidence, and make defensible decisions about data-loss notification or account containment after a mobile compromise.
Technical view
This is a mobile ATT&CK technique for Android and iOS. MITRE does not provide official detection text for the object, but a related detection strategy, DET0615, is listed as detecting it. SOC and IR teams should validate whether their mobile telemetry can connect three facts: a suspicious or malicious mobile app, an established C2 communication pattern, and evidence that data is being encoded or transferred over that same channel. Relationship context shows repeated use by Android malware families and some iOS or Android/iOS software, so platform-specific visibility gaps should be assessed separately rather than assuming desktop-style network controls will be enough.
Likely telemetry
- Mobile device management or mobile threat defense records for installed applications, device posture, permissions, and platform type
- Mobile endpoint or application security alerts for spyware, banking trojans, surveillanceware, or remote access behavior
- Network metadata for mobile device connections, including destinations, timing, volume, protocol, and persistence of suspected C2 sessions
- DNS, proxy, VPN, secure web gateway, or carrier/Wi-Fi egress logs where mobile traffic is routed through enterprise-controlled paths
- Incident response acquisition from affected Android or iOS devices where available, including app artifacts and communication traces
Detection direction
- Validate DET0615 or equivalent analytics against mobile traffic where the same channel appears to support both command activity and outbound data transfer.
- Tune for behavioral context rather than payload inspection alone, because the technique description states stolen data is encoded into normal C2 communications using the same protocol.
- Separate Android and iOS coverage assumptions; many related software entries specify Android, while some relationships include iOS or both Android and iOS.
- Correlate suspected C2 with mobile app inventory, permissions, and user/device ownership to reduce false positives from legitimate mobile applications with persistent cloud communications.
- Look for blind spots caused by unmanaged devices, split-tunnel mobile traffic, encrypted application traffic, limited mobile EDR/MTD deployment, and lack of retained network metadata.
Mitigation priorities
- Establish mobile asset and ownership visibility first, including which Android and iOS devices can access sensitive business data.
- Prioritize controls that reduce installation and persistence of malicious mobile applications, such as managed app distribution, device compliance requirements, and mobile threat protection where appropriate.
- Route managed mobile traffic through logging points that retain enough metadata to investigate suspected C2 and exfiltration behavior.
- Integrate mobile alerts with SOC triage, identity containment, and incident response playbooks so a compromised device can trigger account review and data-loss assessment.
- For high-risk users or regulated workflows, validate evidence retention needed for audit, legal, and notification decisions after suspected mobile data theft.
Analyst notes and limits
The supplied ATT&CK object is concise: it defines exfiltration over an existing mobile C2 channel and lists Android and iOS platforms, but does not specify tactics or official detection guidance. The broad relationship set is useful for prioritization because it connects the technique to multiple mobile malware and campaign entries, including spyware, banking trojans, and surveillanceware. Defensive value comes from validating mobile telemetry and response readiness, not from assuming any single indicator or malware family is present.
This take is limited to the provided ATT&CK fields, external references, and relationships. It does not assert active exploitation, local exposure, attribution, or guaranteed detection. The object lacks official detection text and tactic values, so organizations must confirm coverage with their own mobile fleet architecture, logging paths, device management model, and incident evidence requirements.
Exfiltration Over C2 Channel
Adversaries may steal data by exfiltrating it over an existing command and control channel. Stolen data is encoded into the normal communications channel using the same protocol as command and control communications.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Groups, software, and campaigns
S0551: GoldenEagle
GoldenEagle is a piece of Android malware that has been used in targeting of Uyghurs, Muslims, Tibetans, individuals in Turkey, and individuals in China. Samples have been found as early as 2012.[1]
S1055: SharkBot
S9004: Crocodilus
Crocodilus is an Android banking Trojan that was discovered in March 2025. Crocodilus targeted users worldwide, including Turkey, Poland, Argentina, Brazil, Spain, the United States, Indonesia and India. Crocodilus has been customized based on the target location. For example, Crocodilus mimicked major Turkish and Spanish banks for users in Turkey and Spain, while users in Poland saw Facebook advertisements that promoted Crocodilus to claim bonus points.[1][2]
S1054: Drinik
Drinik is an evolving Android banking trojan that was observed targeting customers of around 27 banks in India in August 2021. Initially seen as an SMS stealer in 2016, Drinik resurfaced as a banking trojan with more advanced capabilities included in subsequent versions between September 2021 and August 2022.[1]
S1095: AhRat
AhRat is an Android remote access tool based on the open-source AhMyth remote access tool. AhRat initially spread in August 2022 on the Google Play Store via an update containing malicious code to the previously benign application, “iRecorder – Screen Recorder,” which itself was released in September 2021.[1]
S1241: RatMilad
RatMilad is an Android remote access tool (RAT) with spyware functionality that has been used to target enterprise mobile devices in the Middle East since at least 2021. Variants of RatMilad have been disguised as VPN applications and a fake app named NumRent. Upon installation, RatMilad employs multiple Collection techniques to collect sensitive information before uploading the collected data to its command and control (C2) server. [1]
S0421: GolfSpy
GolfSpy is Android spyware deployed by the group Bouncing Golf.[1]
S1083: Chameleon
Chameleon is an Android banking trojan that can leverage Android’s Accessibility Services to perform malicious activities. Believed to have been first active in January 2023, Chameleon has been observed targeting users in Australia and Poland by masquerading as official applications. A new variant of Chameleon has expanded its targets to include Android users in the United Kingdom and Italy.[1][2]
S0418: ViceLeaker
ViceLeaker is a spyware framework, capable of extensive surveillance and data exfiltration operations, primarily targeting devices belonging to Israeli citizens.[1][2]
S1185: LightSpy
First observed in 2018, LightSpy is a modular malware family that initially targeted iOS devices in Southern Asia before expanding to Android and macOS platforms. It consists of a downloader, a main executable that manages network communications, and functionality-specific modules, typically implemented as `.dylib` files (iOS, macOS) or `.apk` files (Android). LightSpy can collect VoIP call recordings, SMS messages, and credential stores, which are then exfiltrated to a command and control (C2) server.[1]
S1231: GodFather
GodFather is an Android banking malware that uses virtualization to mimic legitimate applications and abuses accessibility services and other permissions to evade detection and exfiltrate sensitive data. First identified in 2020, GodFather targets nearly 500 banking applications, cryptocurrency wallets, and exchanges worldwide; however, its virtualization-based attacks have primarily focused on several Turkish financial institutions. This capability enables threat actors to steal banking credentials and other sensitive account information. [1][2]
S1061: AbstractEmu
AbstractEmu is mobile malware that was first seen in Google Play and other third-party stores in October 2021. It was discovered in 19 Android applications, of which at least 7 abused known Android exploits for obtaining root permissions. AbstractEmu was observed primarily impacting users in the United States, however victims are believed to be across a total of 17 countries.[1]
C0016: Operation Dust Storm
Operation Dust Storm was a long-standing persistent cyber espionage campaign that targeted multiple industries in Japan, South Korea, the United States, Europe, and several Southeast Asian countries. By 2015, the Operation Dust Storm threat actors shifted from government and defense-related intelligence targets to Japanese companies or Japanese subdivisions of larger foreign organizations supporting Japan's critical infrastructure, including electricity generation, oil and natural gas, finance, transportation, and construction.[1]
Operation Dust Storm threat actors also began to use Android backdoors in their operations by 2015, with all identified victims at the time residing in Japan or South Korea.[1]
C0033: C0033
C0033 was a PROMETHIUM campaign during which they used StrongPity to target Android users. C0033 was the first publicly documented mobile campaign for PROMETHIUM, who previously used Windows-based techniques.[1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 0ac22874c4e9… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
NIST Mobile Threat Catalogue APP-29Open source URL
-
[2]
mitre-attack T1646Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.