T1521.001: Symmetric Cryptography
Adversaries may employ a known symmetric encryption algorithm to conceal command and control traffic, rather than relying on any inherent protections provided by a communication protocol. Symmetric encryption algorithms use the same key for plaintext encryption and ciphertext decryption. Common symmetric encryption algorithms include AES, Blowfish, and RC4.
Analyst context for executives and security teams
This mobile ATT&CK sub-technique matters because encrypted command-and-control can hide malicious app communications even when the network protocol itself does not provide protection. For leaders, the issue is not the use of AES, Blowfish, or RC4 by itself; it is whether mobile security, network monitoring, and incident response teams can recognize suspicious encrypted traffic patterns and connect them back to Android or iOS device risk.
Executive priority
Prioritize this where mobile devices handle sensitive identity, banking, executive, government, or operational data. ATT&CK links this behavior to Android malware families such as Rotexy, EventBot, and SharkBot, and to iOS-focused Operation Triangulation/TriangleDB context, so executives should ask whether mobile fleet visibility, app risk review, and incident response evidence are sufficient when traffic content is intentionally concealed.
Technical view
SOC and IR teams should validate coverage for Android and iOS mobile C2 that uses explicit symmetric encryption rather than relying on protocol-level security. Because official detection text is not provided, teams should map local controls against DET0650, confirm what it requires, and test whether telemetry can correlate suspicious mobile app behavior, destination patterns, encrypted payload characteristics, and application artifacts. The parent technique notes that keys may be encoded or generated within malware samples or configuration files, making malware analysis and app artifact review important where available.
Likely telemetry
- Mobile network metadata, including destination domains, IPs, ports, timing, volume, and beacon-like patterns
- DNS, proxy, VPN, secure web gateway, or mobile carrier/network logs where available
- Mobile device management or mobile threat defense events for app inventory, sideloading, risky apps, and device posture
- Endpoint/mobile security alerts from Android and iOS devices where deployed
- Application package or binary analysis artifacts, including embedded configuration data or cryptographic library/API usage indicators
Detection direction
- Review DET0650 and translate it into local detection requirements; the ATT&CK object itself does not provide detection logic.
- Do not rely on plaintext inspection: this behavior is specifically intended to conceal C2 content with symmetric cryptography.
- Correlate encrypted mobile traffic with app reputation, unusual destinations, timing regularity, and device posture rather than treating encryption alone as malicious.
- Tune for false positives because legitimate mobile applications commonly use encryption; suspiciousness depends on context, destination, app provenance, and behavior.
- Where malware analysis is available, look for encoded or generated secret material and known symmetric algorithm usage in samples or configuration files, consistent with the parent technique description.
Mitigation priorities
- Establish mobile app governance: restrict untrusted app sources, review high-risk apps, and maintain inventory for Android and iOS fleets.
- Ensure mobile network visibility is retained long enough for incident response, even when payload content cannot be decrypted.
- Prioritize controls that connect device identity, app identity, and network behavior so encrypted C2 is not assessed in isolation.
- Prepare IR playbooks for mobile devices that preserve app, network, and device posture evidence.
- Use threat intelligence relationships from ATT&CK to inform hunting hypotheses, but avoid assuming local exposure without environment-specific evidence.
Analyst notes and limits
This is a sub-technique of T1521 Encrypted Channel in the mobile domain. ATT&CK relationships document use by C0033, Operation Triangulation, Windshift, Rotexy, EventBot, SharkBot, and TriangleDB. That relationship context is useful for prioritizing mobile hunting and readiness, but it should not be interpreted as proof of current activity in any specific environment.
Official ATT&CK detection guidance is not provided, tactics are not specified, and no official mitigations are supplied in the provided fields. Practical detection and response depend heavily on local mobile fleet management, network logging, mobile security tooling, and the ability to analyze suspicious applications.
Symmetric Cryptography
Adversaries may employ a known symmetric encryption algorithm to conceal command and control traffic, rather than relying on any inherent protections provided by a communication protocol. Symmetric encryption algorithms use the same key for plaintext encryption and ciphertext decryption. Common symmetric encryption algorithms include AES, Blowfish, and RC4.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Related techniques
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1521 | Encrypted Channel | This object subtechnique of Encrypted Channel. |
Groups, software, and campaigns
G0112: Windshift
S0478: EventBot
EventBot is an Android banking trojan and information stealer that abuses Android’s accessibility service to steal data from various applications.[1] EventBot was designed to target over 200 different banking and financial applications, the majority of which are European bank and cryptocurrency exchange applications.[1]
S1216: TriangleDB
TriangleDB is an Objective-C written implant deployed after Binary Validator and after root privileges are obtained during Operation Triangulation’s infection chain. Upon execution, TriangleDB communicates with the C2 server, relaying information about the victim device.[1]
S1055: SharkBot
S0411: Rotexy
C0033: C0033
C0033 was a PROMETHIUM campaign during which they used StrongPity to target Android users. C0033 was the first publicly documented mobile campaign for PROMETHIUM, who previously used Windows-based techniques.[1]
C0054: Operation Triangulation
Operation Triangulation is a mobile campaign targeting iOS devices.[1] The unidentified actors used zero-click exploits in iMessage attachments to gain Initial Access, then executed exploits and validators, such as Binary Validator before finally executing the TriangleDB implant.
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 31904b6516be… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack T1521.001Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.