System Network Configuration Discovery

On Android, details of onboard network interfaces are accessible to apps through the java.net.NetworkInterface class.[1] The Android TelephonyManager class can be used to gather related information such as the IMSI, IMEI, and phone number.[2]

On iOS, gathering network configuration information is not possible without root access.

ID: T1422
Sub-techniques:  No sub-techniques
Tactic Type: Post-Adversary Device Access
Tactic: Discovery
Platforms: Android, iOS
Version: 2.1
Created: 25 October 2017
Last Modified: 02 June 2020

Procedure Examples

Name Description
ANDROIDOS_ANSERVER.A

ANDROIDOS_ANSERVER.A gathers the device IMEI and IMSI.[12]

Bread

Bread collects the device’s IMEI, carrier, mobile country code, and mobile network code.[20]

Corona Updates

Corona Updates can collect device network configuration information, such as Wi-Fi SSID and IMSI.[18]

DualToy

DualToy collects the connected iOS device’s information including IMEI, IMSI, ICCID, serial number and phone number.[11]

EventBot

EventBot can gather device network information.[22]

Exodus

Exodus One queries the device for its IMEI code and the phone number in order to validate the target of a new infection.[14]

Gustuff

Gustuff gathers the device IMEI to send to the command and control server.[15]

INSOMNIA

INSOMNIA can collect the device’s phone number, ICCID, IMEI, and the currently active network interface (Wi-Fi or cellular).[21]

Monokle

Monokle checks if the device is connected via Wi-Fi or mobile data.[16]

Pegasus for Android

Pegasus for Android checks if the device is on Wi-Fi, a cellular network, and is roaming.[4]

Pegasus for iOS

Pegasus for iOS monitors the connection state and tracks which types of networks the phone is connected to, potentially to determine the bandwidth and ability to send full data across the network.[10]

PJApps

PJApps has the capability to collect and leak the victim's phone number, mobile device unique identifier (IMEI).[8]

RedDrop

RedDrop collects and exfiltrates information including IMEI, IMSI, MNC, MCC, nearby Wi-Fi networks, and other device and SIM-related info.[7]

Riltok

Riltok can query the device's IMEI.[13]

Rotexy

Rotexy collects the device's IMEI and sends it to the command and control server.[17]

RuMMS

RuMMS gathers the device phone number and IMEI and transmits them to a command and control server.[5]

SpyDealer

SpyDealer harvests the device phone number, IMEI, and IMSI.[6]

Stealth Mango

Stealth Mango collects and uploads information about changes in SIM card or phone numbers on the device.[9]

Tangelo

Tangelo contains functionality to gather cellular IDs.[9]

TrickMo

TrickMo can collect device network configuration information such as IMSI, IMEI, and Wi-Fi connection state.[19]

Mitigations

Mitigation Description
Application Vetting

Application vetting could be used to analyze applications to determine whether they access this information, including determining whether the application requests the Android ACCESS_NETWORK_STATE permission (required in order to access NetworkInterface information) or the READ_PHONE_STATE permission (required in order to access TelephonyManager information).

Use Recent OS Version

Starting in Android 6.0, applications can no longer access MAC addresses of network interfaces.[3]

References