Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T1643: Generate Traffic from Victim

Adversaries may generate outbound traffic from devices. This is typically performed to manipulate external outcomes, such as to achieve carrier billing fraud or to manipulate app store rankings or ratings. Outbound traffic is typically generated as SMS messages or general web traffic, but may take other forms as well.

If done via SMS messages, Android apps must hold the `SEND_SMS` permission. Additionally, sending an SMS message requires user consent if the recipient is a premium number. Applications cannot send SMS messages on iOS

MobileT1643TechniqueObject v1.1 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

Generate Traffic from Victim is mobile behavior where a compromised or malicious app causes a user’s Android or iOS device to send outbound traffic, such as SMS messages or web requests, to create financial or reputational outcomes like carrier billing fraud, ad fraud, or app store manipulation. For leaders, the risk is not only malware on a phone; it is uncontrolled use of trusted employee or customer devices to create charges, abuse business reputation, consume network resources, or obscure fraud behind legitimate device activity.

Executive priority

Prioritize this where mobile devices are part of workforce operations, customer engagement, regulated communications, or bring-your-own-device programs. The business questions are: can the organization see abnormal SMS or web traffic from managed mobile devices, can it identify risky apps and permissions, and can incident responders distinguish user-driven activity from automated app behavior? This technique also supports compliance and audit discussions around mobile application governance, user guidance, and evidence that mobile risk controls are operating.

Technical view

For Android, validate visibility into apps requesting or holding SEND_SMS and into unusual SMS or web traffic patterns from devices. MITRE notes that Android apps must hold SEND_SMS to send SMS, and premium-number SMS requires user consent; iOS applications cannot send SMS messages. For both Android and iOS, defenders should focus on anomalous outbound web traffic, automated ad or ranking-related activity, and device/app behavior that does not match user activity. Relationship context shows this technique consolidates prior ATT&CK behaviors for carrier billing fraud, app store ranking/rating manipulation, and fraudulent advertising revenue, and is used by multiple Android malware families and adware examples. DET0608 is identified as a related detection strategy, but the supplied object does not include detection logic.

Likely telemetry

  • Mobile device management or enterprise mobility inventory for device platform, installed apps, and app permissions
  • Android application permission data, especially SEND_SMS where available
  • SMS activity records or carrier billing indicators where the organization has lawful and operational access
  • Mobile network, DNS, proxy, or secure web gateway logs showing outbound web traffic from mobile devices
  • Mobile threat defense or endpoint telemetry for suspicious app behavior, automated clicks, or background traffic

Detection direction

  • Validate whether mobile telemetry can connect outbound traffic to a device, user, app, and permission state; without that correlation, traffic may appear legitimate.
  • Tune for unusual SMS volume, premium-number interactions, or SEND_SMS use by apps with no business need on Android.
  • For web traffic, look for background request bursts, repeated ad-related requests, automated click-like patterns, or traffic inconsistent with normal user interaction, while accounting for legitimate mobile app background activity.
  • Separate Android and iOS assumptions: SMS-generation detection is Android-relevant per the supplied ATT&CK text; iOS apps cannot send SMS messages, so iOS focus should be on other outbound traffic forms.
  • Use the revoked-by context as analytic coverage guidance: include billing fraud, app store manipulation, and ad fraud scenarios rather than treating them as unrelated detections.

Mitigation priorities

  • Start with user guidance, as MITRE maps M1011 to this technique: train users to avoid risky app sources and recognize unexpected permissions, charges, or automated activity.
  • Restrict or review high-risk Android permissions such as SEND_SMS for managed devices and business-approved apps.
  • Use mobile device management or equivalent governance to maintain app inventory, control untrusted app installation where appropriate, and support rapid removal of suspect apps.
  • Establish incident response playbooks for mobile fraud indicators, including billing review, app removal, device containment, and user notification steps.
  • For compliance evidence, retain records showing mobile app governance, user guidance, permission review, and response actions rather than relying only on network alerts.
Analyst notes and limits

This object is especially useful for mobile security program validation because it links several practical fraud outcomes under one behavior: sending or generating traffic from a victim device. The relationship set is heavily Android-oriented, with many related software examples listed as Android malware or adware; however, the technique platform field includes both Android and iOS, so detection planning should distinguish SMS-specific Android behavior from more general outbound traffic activity.

The ATT&CK object provides no official detection text and no tactic assignment. The supplied relationships identify a detection strategy and mitigation, but do not include detailed detection logic. Local telemetry availability, mobile management scope, BYOD policy, carrier access, and privacy/legal constraints will determine what can actually be monitored.

Official MITRE ATT&CK definition

Generate Traffic from Victim

Adversaries may generate outbound traffic from devices. This is typically performed to manipulate external outcomes, such as to achieve carrier billing fraud or to manipulate app store rankings or ratings. Outbound traffic is typically generated as SMS messages or general web traffic, but may take other forms as well.

If done via SMS messages, Android apps must hold the `SEND_SMS` permission. Additionally, sending an SMS message requires user consent if the recipient is a premium number. Applications cannot send SMS messages on iOS

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

3 rows
Domain ID Name Relationship / procedure
Mobile T1472 Generate Fraudulent Advertising Revenue Generate Fraudulent Advertising Revenue revoked by this object.
Mobile T1448 Carrier Billing Fraud Carrier Billing Fraud revoked by this object.
Mobile T1452 Manipulate App Store Rankings or Ratings Manipulate App Store Rankings or Ratings revoked by this object.
Associated objects

Groups, software, and campaigns

Malware Mobile

S0325: Judy

Judy is auto-clicking adware that was distributed through multiple apps in the Google Play Store. [1]

Malware Mobile

S0290: Gooligan

Gooligan is a malware family that runs privilege escalation exploits on Android devices and then uses its escalated privileges to steal authentication tokens that can be used to access data from many Google applications. Gooligan has been described as part of the Ghost Push Android malware family. [1] [2] [3]

Android
Malware Mobile

S0440: Agent Smith

Agent Smith is mobile malware that generates financial gain by replacing legitimate applications on devices with malicious versions that include fraudulent ads. As of July 2019 Agent Smith had infected around 25 million devices, primarily targeting India though effects had been observed in other Asian countries as well as Saudi Arabia, the United Kingdom, and the United States.[1]

Android
Malware Mobile

S0419: SimBad

SimBad was a strain of adware on the Google Play Store, distributed through the RXDroider Software Development Kit. The name "SimBad" was derived from the fact that most of the infected applications were simulator games. The adware was controlled using an instance of the open source framework Parse Server.[1]

Android
Malware Mobile

S0432: Bread

Bread was a large-scale billing fraud malware family known for employing many different cloaking and obfuscation techniques in an attempt to continuously evade Google Play Store’s malware detection. 1,700 unique Bread apps were detected and removed from the Google Play Store before being downloaded by users.[1]

Android
Relationship explorer

All related ATT&CK context

revoked by · Technique T1472: Generate Fraudulent Advertising Revenue Mobile uses · Malware S0525: Android/AdDisplay.Ashas Mobile uses · Malware S0545: TERRACOTTA Mobile uses · Malware S0325: Judy Mobile mitigates · Mitigation M1011: User Guidance Mobile uses · Malware S0326: RedDrop Mobile uses · Malware S0290: Gooligan Mobile uses · Malware S0291: PJApps Mobile revoked by · Technique T1448: Carrier Billing Fraud Mobile uses · Malware S0440: Agent Smith Mobile uses · Malware S0303: MazarBOT Mobile uses · Malware S0293: BrainTest Mobile revoked by · Technique T1452: Manipulate App Store Rankings or Ratings Mobile uses · Malware S0419: SimBad Mobile uses · Malware S0321: HummingWhale Mobile uses · Malware S0432: Bread Mobile detects · Detection Strategy DET0608: Detection of Generate Traffic from Victim Mobile uses · Malware S0494: Zen Mobile uses · Malware S1103: FlixOnline Mobile uses · Malware S0424: Triada Mobile uses · Malware S0322: HummingBad Mobile
Mitigations

Mitigation direction

Mitigation Mobile

M1011: User Guidance

Describes any guidance or training given to users to set particular configuration settings or avoid specific potentially risky behaviors.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.1
Created
Modified
Raw hash
cbcb33d85a084d9d...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.1 Current bundle cbcb33d85a08…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    NIST Mobile Threat Catalogue APP-16
    Open source URL
  2. [2]
    mitre-attack T1643
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use