Discovery consists of techniques that allow the adversary to gain knowledge about the characteristics of the mobile device and potentially other networked systems. When adversaries gain access to a new system, they must orient themselves to what they now have control of and what benefits operating from that system give to their current objective or overall goals during the intrusion. The operating system may provide capabilities that aid in this post-compromise information-gathering phase.
ID: TA0032


Techniques: 8
T1418Application Discovery

Adversaries may seek to identify all applications installed on the device. One use case for doing so is to identify the presence of endpoint security applications that may increase the adversary's risk of detection. Another use case is to identify the presence of applications that the adversary may wish to target.

T1419Device Type Discovery

On Android, device type information is accessible to apps through the android.os.Build class . Device information could be used to target privilege escalation exploits.

T1420File and Directory Discovery

On Android, command line tools or the Java file APIs can be used to enumerate file system contents. However, Linux file permissions and SELinux policies generally strongly restrict what can be accessed by apps (without taking advantage of a privilege escalation exploit). The contents of the external storage directory are generally visible, which could present concern if sensitive data is inappropriately stored there.

T1423Network Service Scanning

Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation. Methods to acquire this information include port scans and vulnerability scans from the mobile device. This technique may take advantage of the mobile device's access to an internal enterprise network either through local connectivity or through a Virtual Private Network (VPN).

T1424Process Discovery

On Android versions prior to 5, applications can observe information about other processes that are running through methods in the ActivityManager class. On Android versions prior to 7, applications can obtain this information by executing the ps command, or by examining the /proc directory. Starting in Android version 7, use of the Linux kernel's hidepid feature prevents applications (without escalated privileges) from accessing this information .

T1426System Information Discovery

An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, and architecture.

T1422System Network Configuration Discovery

On Android, details of onboard network interfaces are accessible to apps through the class . The Android TelephonyManager class can be used to gather related information such as the IMSI, IMEI, and phone number .

T1421System Network Connections Discovery

On Android, applications can use standard APIs to gather a list of network connections to and from the device. For example, the Network Connections app available in the Google Play Store advertises this functionality.