Adversaries may seek to identify all applications installed on the device. One use case for doing so is to identify the presence of endpoint security applications that may increase the adversary's risk of detection. Another use case is to identify the presence of applications that the adversary may wish to target.
|T1419||Device Type Discovery|
On Android, device type information is accessible to apps through the android.os.Build class . Device information could be used to target privilege escalation exploits.
|T1420||File and Directory Discovery|
On Android, command line tools or the Java file APIs can be used to enumerate file system contents. However, Linux file permissions and SELinux policies generally strongly restrict what can be accessed by apps (without taking advantage of a privilege escalation exploit). The contents of the external storage directory are generally visible, which could present concern if sensitive data is inappropriately stored there.
|T1423||Network Service Scanning|
Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation. Methods to acquire this information include port scans and vulnerability scans from the mobile device. This technique may take advantage of the mobile device's access to an internal enterprise network either through local connectivity or through a Virtual Private Network (VPN).
On Android versions prior to 5, applications can observe information about other processes that are running through methods in the ActivityManager class. On Android versions prior to 7, applications can obtain this information by executing the
|T1426||System Information Discovery|
An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, and architecture.
|T1422||System Network Configuration Discovery|
On Android, details of onboard network interfaces are accessible to apps through the java.net.NetworkInterface class . The Android TelephonyManager class can be used to gather related information such as the IMSI, IMEI, and phone number .
|T1421||System Network Connections Discovery|
On Android, applications can use standard APIs to gather a list of network connections to and from the device. For example, the Network Connections app available in the Google Play Store advertises this functionality.