System Network Configuration Discovery

On Android, details of onboard network interfaces are accessible to apps through the java.net.NetworkInterface class [1]. The Android TelephonyManager class can be used to gather related information such as the IMSI, IMEI, and phone number [2].

ID: T1422

Tactic Type:  Post-Adversary Device Access

Tactic: Discovery

Platform:  Android

Version: 2.0

Mitigations

Mitigation Description
Application Vetting Application vetting could be used to analyze applications to determine whether they access this information, including determining whether the application requests the Android ACCESS_NETWORK_STATE permission (required in order to access NetworkInterface information) or the READ_PHONE_STATE permission (required in order to access TelephonyManager information).
Use Recent OS Version Starting in Android 6.0, applications can no longer access MAC addresses of network interfaces.[11]

Examples

Name Description
DualToy

DualToy collects the connected iOS device’s information including IMEI, IMSI, ICCID, serial number and phone number.[3]

Pegasus for Android

Pegasus for Android checks if the device is on Wi-Fi, a cellular network, and is roaming.[4]

Pegasus for iOS

Pegasus for iOS monitors the connection state and tracks which types of networks the phone is connected to, potentially to determine the bandwidth and ability to send full data across the network.[5]

PJApps

PJApps has the capability to collect and leak the victim's phone number, mobile device unique identifier (IMEI).[6]

RedDrop

RedDrop exfiltrates IMEI, IMSI, MNC, MCC, nearby WiFi networks, and other device and SIM related info.[7]

RuMMS

RuMMS gathers the device phone number and IMEI and transmits them to a command and control server.[8]

SpyDealer

SpyDealer harvests phone number IMEI, and IMSI.[9]

Stealth Mango

Stealth Mango uploads information about changes in SIM card or phone numbers on the device.[10]

Tangelo

Tangelo contains functionality to gather cellular IDs.[10]

References