Live Active security incident? Get immediate response
MITRE ATT&CK® Malware

S0306: Trojan-SMS.AndroidOS.FakeInst.a

Trojan-SMS.AndroidOS.FakeInst.a is Android malware. [1]

MobileS0306MalwareObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

Trojan-SMS.AndroidOS.FakeInst.a is identified by ATT&CK as Android malware, with a relationship to use of web protocols for communications. For leaders, the practical issue is not the malware family alone but whether mobile security monitoring can see suspicious app-to-server communication that may blend into ordinary HTTP/HTTPS traffic. This matters for organizations that allow Android devices to access business systems, messaging, identity prompts, or regulated data.

Executive priority

Treat this as a mobile visibility and response-readiness question. Security leaders should ask whether corporate or BYOD Android devices are in scope for inventory, acceptable-use policy, mobile threat detection, network logging, and incident response procedures. Because ATT&CK provides no official detection guidance for this object, coverage should not be assumed; teams should be able to show what evidence they collect for mobile web traffic, app behavior, and device compliance before relying on SOC monitoring or audit assertions.

Technical view

ATT&CK only describes this software as Android malware and provides one relationship: it uses T1437.001 Web Protocols. SOC, detection engineering, and IR teams should validate whether they can correlate mobile device identity, installed or observed app activity, and outbound HTTP/HTTPS destinations from mobile networks, VPN, proxy, DNS, MDM/UEM, or mobile threat defense sources. Since tactics and official detection are not specified, detection should focus on environment-specific abnormal mobile web communications rather than hard-coded assumptions about this object’s full behavior.

Likely telemetry

  • Mobile device inventory and compliance state from MDM/UEM or equivalent management sources
  • Mobile threat defense or endpoint security events for Android devices, where deployed
  • Proxy, secure web gateway, firewall, VPN, or carrier/network logs showing mobile HTTP/HTTPS connections
  • DNS resolver logs for domains contacted by managed mobile devices
  • Application inventory or app installation/change records for managed Android devices

Detection direction

  • Confirm whether mobile HTTP/HTTPS traffic is visible at all; encrypted web traffic and off-network/BYOD use are common blind spots.
  • Baseline normal mobile app network behavior and investigate unusual destinations, newly observed domains, rare user-agent patterns, or unexpected web communications from managed Android devices.
  • Correlate web-protocol network events with device ownership, app inventory, and identity activity to avoid treating generic HTTP/HTTPS traffic as actionable by itself.
  • Tune carefully for false positives because T1437.001 explicitly involves blending with normal web traffic; benign apps and notification services can generate similar protocol patterns.
  • Use the relationship to Web Protocols as context for detection engineering, but do not infer additional tactics, payload actions, or command-and-control details beyond the supplied ATT&CK data.

Mitigation priorities

  • Establish authoritative mobile device inventory and decide which Android devices are allowed to access business systems.
  • Enforce mobile management and device compliance requirements where business risk justifies it, especially for access to sensitive applications.
  • Collect and retain mobile-relevant network, DNS, proxy/VPN, and device-management telemetry so incidents can be investigated after the fact.
  • Apply least-privilege access and conditional access principles so unmanaged or noncompliant mobile devices have limited business impact.
  • Document mobile incident response playbooks for suspected malicious apps, including containment, evidence preservation, credential review, and user communication.
Analyst notes and limits

The official ATT&CK object is sparse: it names Trojan-SMS.AndroidOS.FakeInst.a as Android malware and cites Kaspersky reporting, but does not provide tactics, platforms in the object fields, aliases, labels, or official detection text. The strongest relationship-driven context is its use of T1437.001 Web Protocols in the mobile ATT&CK domain.

This take is limited to the supplied ATT&CK fields, external references, and the single relationship. It does not assert current exploitation, attribution, impact, specific infrastructure, or guaranteed detection. Local device management scope, BYOD policy, mobile telemetry, and network architecture are required to determine real exposure and coverage.

Official MITRE ATT&CK definition

Trojan-SMS.AndroidOS.FakeInst.a

Trojan-SMS.AndroidOS.FakeInst.a is Android malware. [1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Mobile T1437.001 Web Protocols Sub-technique

Trojan-SMS.AndroidOS.FakeInst.a uses Google Cloud Messaging (GCM) for command and control.[1]
Relationship explorer

All related ATT&CK context

uses · Technique T1437.001: Web Protocols Mobile
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
f62f3b61b8697266...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle f62f3b61b869…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Kaspersky-MobileMalware

    Roman Unuchek and Victor Chebyshev. (2014, February 24). Mobile Malware Evolution: 2013. Retrieved December 22, 2016.

    Open source URL
  2. [2]
    Trojan-SMS.AndroidOS.FakeInst.a

    (Citation: Kaspersky-MobileMalware)

  3. [3]
    mitre-attack S0306
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use