Mobile Command and Control consists of techniques adversaries use to communicate with and control compromised mobile devices. These include using standard web protocols, encrypted channels, domain generation algorithms, and leveraging legitimate web services as C2 channels to blend in with normal mobile traffic.
Tactic Overview
Tactic ID: TA0037 — Matrix: Mobile — Techniques: 9
The Command and Control tactic represents a phase in the adversary lifecycle where the adversary is trying to communicate with compromised devices to control them. This tactic is part of the MITRE ATT&CK Mobile matrix and encompasses 9 known techniques that adversaries employ during this phase of an attack.
Understanding this tactic is critical for defenders to build effective detection strategies and implement appropriate countermeasures. Organizations should map their security controls against each technique to identify coverage gaps and prioritize defensive investments.
Techniques (9)
The following techniques are categorized under the Command and Control tactic in the MITRE ATT&CK Mobile matrix:
| Technique ID | Name | Description | MITRE Reference |
|---|---|---|---|
T1437 | Application Layer Protocol (1 sub-techniques) | Adversaries communicate over standard protocols from mobile devices to blend C2 traffic with normal mobile traffic. | T1437 |
T1616 | Call Control | Adversaries manipulate phone call functionality to redirect calls, block calls, or make unauthorized calls. | T1616 |
T1637 | Dynamic Resolution (1 sub-techniques) | Adversaries use domain generation algorithms and dynamic DNS on mobile malware to vary C2 infrastructure. | T1637 |
T1521 | Encrypted Channel (3 sub-techniques) | Adversaries encrypt mobile C2 communications using symmetric or asymmetric cryptography. | T1521 |
T1544 | Ingress Tool Transfer | Adversaries download additional tools and payloads to compromised mobile devices. | T1544 |
T1509 | Non-Standard Port | Adversaries use non-standard ports for mobile C2 to bypass filtering. | T1509 |
T1644 | Out of Band Data | Adversaries use out-of-band channels (SMS, calls) for C2 with compromised mobile devices. | T1644 |
T1663 | Remote Access Software | Adversaries install legitimate remote access tools on mobile devices as C2 mechanisms. | T1663 |
T1481 | Web Service (3 sub-techniques) | Adversaries use legitimate web services for mobile C2 to blend with normal mobile web traffic. | T1481 |
Detection & Mitigation
Organizations should implement layered defenses addressing each technique within this tactic. Below are key mitigation strategies recommended by Mjolnir Security analysts.
Key Mitigations
- VPN enforcement
- Network traffic analysis
- DNS filtering
- Certificate pinning validation
- Mobile threat defense
Detection Strategies
Effective detection of Command and Control techniques requires a combination of log analysis, behavioral monitoring, and threat intelligence correlation. Security teams should focus on establishing baselines for normal activity and alerting on deviations that may indicate adversary behavior aligned with this tactic.
- SIEM Integration: Correlate events across multiple data sources to detect technique patterns
- Behavioral Analytics: Deploy UEBA solutions to identify anomalous activity indicative of this tactic
- Threat Hunting: Proactively search for indicators of techniques within this tactic using hypothesis-driven investigations
- Purple Teaming: Regularly test detection coverage by simulating techniques from this tactic
Associated Threat Actors
The following threat actors are known to heavily leverage techniques from the Command and Control tactic:
For comprehensive threat actor profiles, visit the APT Groups Hub.
Resources & References
Defend Against Command and Control Techniques
Mjolnir Security provides expert threat intelligence, purple team exercises, and detection engineering services to help organizations defend against adversary tactics mapped to the MITRE ATT&CK framework.
Stay updated on MITRE ATT&CK developments and threat intelligence insights.
View All Reports →Written by Mjolnir Security Research — Published March 7, 2026