Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of operating systems they access or through information discovery of remote systems.
On Android, details of onboard network interfaces are accessible to apps through the
java.net.NetworkInterface class. Previously, the Android
TelephonyManager class could be used to gather telephony-related device identifiers, information such as the IMSI, IMEI, and phone number. However, starting with Android 10, only preloaded, carrier, the default SMS, or device and profile owner applications can access the telephony-related device identifiers.
On iOS, gathering network configuration information is not possible without root access.
Adversaries may use the information from System Network Configuration Discovery during automated discovery to shape follow-on behaviors, including determining certain access within the target network and what actions to do next.
CarbonSteal has collected device network information, including 16-bit GSM Cell Identity, 16-bit Location Area Code, Mobile Country Code (MCC), and Mobile Network Code (MNC). CarbonSteal has also called
|S0316||Pegasus for Android|
|S0318||XLoader for Android|
|S0490||XLoader for iOS|
|M1006||Use Recent OS Version||
Android 10 introduced changes that prevent normal applications from accessing sensitive device identifiers.
Application vetting services could look for usage of the
READ_PRIVILEGED_PHONE_STATE Android permission. This could indicate that non-system apps are attempting to access information that they do not have access to.