1. Home
  2. Techniques
  3. Mobile
  4. Ingress Tool Transfer

Ingress Tool Transfer

Adversaries may transfer tools or other files from an external system onto a compromised device to facilitate follow-on actions. Files may be copied from an external adversary-controlled system through the command and control channel or through alternate protocols with another tool such as FTP.

ID: T1544
Sub-techniques:  No sub-techniques
Tactic Type: Post-Adversary Device Access
Tactic: Command and Control
Platforms: Android, iOS
Version: 2.2
Created: 21 January 2020
Last Modified: 12 May 2026

Procedure Examples

ID Name Description
S1061 AbstractEmu

AbstractEmu can receive files from the C2 at runtime.[1]
C0033 C0033

During C0033, PROMETHIUM used StrongPity to receive files from the C2 and execute them via the parent application.[2]

S1083 Chameleon

Chameleon has downloaded HTML overlay pages after installation.[3]
S1225 CherryBlos

CherryBlos has received configuration files from the C2 server.[4]

S9005 DocSwap

DocSwap has the ability to upload and download files via socket communication.[5][6]

S1231 GodFather

GodFather has downloaded Google Play Store, Google Play services and Google Services Framework APK to a virtual folder.[7]

S1185 LightSpy

LightSpy has retrieved files from the C2 server.[8][9] Examples of files from the C2 are amfidebilitate (jailbreak component), jbexec (executable to verify jailbreak), bb (FrameworkLoader), cc (launchctl binary for persistence), b.plist (configuration for auto-start), and resources.zip, which contains additional jailbreak-related components.[10]
S0485 Mandrake

Mandrake can install attacker-specified components or applications.[11]
S0407 Monokle

Monokle can download attacker-specified files.[12]

C0054 Operation Triangulation

During Operation Triangulation, the threat actors downloaded subsequent stages from the C2.[13][14]

S1126 Phenakite

Phenakite can download additional malware to the victim device.[15]

S0326 RedDrop

RedDrop uses ads or other links within websites to encourage users to download the malicious apps using a complex content distribution network (CDN) and series of network redirects. RedDrop also downloads additional components (APKs, JAR files) from different C2 servers.[16]

S1055 SharkBot

SharkBot can download attacker-specified files.[17]
S1195 SpyC23

SpyC23 can download more malware to the victim device.[18][19][20]
S1082 Sunbird

Sunbird can download adversary specified content from FTP shares.[21]
S1216 TriangleDB

TriangleDB has loaded additional modules stored in memory.[14]

S0418 ViceLeaker

ViceLeaker can download attacker-specified files.[22]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection Strategy

ID Name Analytic ID Analytic Description
DET0718 Detection of Ingress Tool Transfer AN1848

The defender correlates an application establishing outbound retrieval to a non-baselined external source with immediate local creation of a new executable, module, staged payload, overlay asset, or secondary file in app-controlled or shared storage, followed by optional load, invocation, handoff, or repeat retrieval behavior. The analytic prioritizes Android-observable effects: network download activity, DownloadManager or direct HTTP retrieval, file creation in package-specific or external paths, and execution context inconsistent with recent user interaction or the app’s declared role.
AN1849

The defender correlates managed-app network retrieval from a non-baselined external source with immediate creation of a new local artifact, staged resource, module-like file, or opaque payload inside the app container, followed by optional dynamic loading, handoff, or repeat retrieval behavior. Because iOS offers weaker direct visibility into tool staging internals than Android in many environments, the analytic anchors first on network acquisition plus managed app identity and then strengthens confidence with file creation or process-activity effects where mobile telemetry is available.

References

  1. P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.
  2. Stefanko, L. (2023, January 10). StrongPity espionage campaign targeting Android users. Retrieved January 31, 2023.
  3. Cyble Research & Intelligence Labs. (2023, April 13). Banking Trojan targeting mobile users in Australia and Poland. Retrieved August 16, 2023.
  4. Trend Micro Research. (2023, July 28). Related CherryBlos and FakeTrade Android Malware Involved in Scam Campaigns. Retrieved March 28, 2025.
  5. EnkiWhiteHat. (2025, December 16). Kimsuky Distributing Malicious Mobile App via QR Code. Retrieved January 8, 2026.
  6. Kim, H., S2W TALON. (2025, March 13). Detailed Analysis of DocSwap Malware Disguised as Security Document Viewer. Retrieved January 12, 2026.
  7. Ortega, F. Pratapagiri, V. (2025, June 18). Your Mobile App, Their Playground: The Dark Side of Virtualization. Retrieved July 16, 2025.
  8. Melikov, D. (2024, April 11). LightSpy Returns: Renewed Espionage Campaign Targets Southern Asia, Possibly India. Retrieved January 14, 2025.
  9. ThreatFabric. (2024, October 29). LightSpy: Implant for iOS. Retrieved January 30, 2025.
  10. Dmitry Bestuzhev. (2025, April 7). The Coordinated Kill Switch: LightSpy's iOS Destructive Plugin Architecture Manages Device Disablement. Retrieved April 14, 2025.
  11. R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020.
  1. Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.
  2. Kuznetsov, I., et al. (2023, June 1). Operation Triangulation: iOS devices targeted with previously unknown malware. Retrieved April 18, 2024.
  3. Kucherin, G., et al. (2023, June 21). Dissecting TriangleDB, a Triangulation spyware implant. Retrieved April 18, 2024.
  4. Flossman, M., Scott, M. (2021, April). Technical Paper // Taking Action Against Arid Viper. Retrieved November 17, 2024.
  5. Nell Campbell. (2018, February 27). RedDrop: the blackmailing mobile malware family lurking in app stores. Retrieved November 17, 2024.
  6. RIFT: Research and Intelligence Fusion Team. (2022, March 3). SharkBot: a “new” generation Android banking Trojan being distributed on Google Play Store. Retrieved January 18, 2023.
  7. Stefanko, L. (2020, September 30). APT‑C‑23 group evolves its Android spyware. Retrieved March 4, 2024.
  8. CheckPoint Research. (2020, February 16). Hamas Android Malware On IDF Soldiers-This is How it Happened. Retrieved November 17, 2024.
  9. Delamotte, A. (2023, November 6). Arid Viper | APT’s Nest of SpyC23 Malware Continues to Target Android Devices. Retrieved December 2, 2024.
  10. Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.
  11. GReAT. (2019, June 26). ViceLeaker Operation: mobile espionage targeting Middle East. Retrieved November 21, 2019.