1. Home
  2. Techniques
  3. Mobile
  4. System Network Configuration Discovery
  5. Wi-Fi Discovery

System Network Configuration Discovery: Wi-Fi Discovery

ID Name
T1422.001 Internet Connection Discovery
T1422.002 Wi-Fi Discovery

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems. Adversaries may use Wi-Fi information as part of Discovery or Credential Access activity to support both ongoing and future campaigns.

ID: T1422.002
Sub-technique of:  T1422
Tactic: Discovery
Platforms: Android, iOS
Version: 1.0
Created: 21 February 2024
Last Modified: 21 February 2024
Version Permalink

Procedure Examples

ID Name Description
S1079 BOULDSPY

BOULDSPY can collect network information, such as IP address, SIM card information, and Wi-Fi information.[1]
S0425 Corona Updates

Corona Updates can collect device network configuration information, such as Wi-Fi SSID and IMSI.[2]
S1077 Hornbill

Hornbill can collect a device's phone number and IMEI, and can check to see if Wi-Fi is enabled.[3]
S0463 INSOMNIA

INSOMNIA can collect the device’s phone number, ICCID, IMEI, and the currently active network interface (Wi-Fi or cellular).[4]
S1185 LightSpy

LightSpy uses the WifiList (or libWifiList) plugin to gather Wi-Fi network information, such as the SSID, BSSID, signal strength (RSSI), channel, security type, and previously saved networks.[5][6][7][8]
S0407 Monokle

Monokle checks if the device is connected via Wi-Fi or mobile data.[9]
S0316 Pegasus for Android

Pegasus for Android checks if the device is on Wi-Fi, a cellular network, and is roaming.[10]
S0326 RedDrop

RedDrop collects and exfiltrates information including IMEI, IMSI, MNC, MCC, nearby Wi-Fi networks, and other device and SIM-related info.[11]
S1056 TianySpy

TianySpy can check to see if Wi-Fi is enabled.[12]

S0427 TrickMo

TrickMo can collect device network configuration information such as IMSI, IMEI, and Wi-Fi connection state.[13]

Mitigations

ID Mitigation Description
M1006 Use Recent OS Version

Android 10 introduced changes that prevent normal applications from accessing sensitive device identifiers.[14]

Detection Strategy

ID Name Analytic ID Analytic Description
DET0709 Detection of Wi-Fi Discovery AN1833

Application vetting services could look for usage of the READ_PRIVILEGED_PHONE_STATE Android permission. This could indicate that non-system apps are attempting to access information that they do not have access to.
AN1834

Application vetting services could look for usage of the READ_PRIVILEGED_PHONE_STATE Android permission. This could indicate that non-system apps are attempting to access information that they do not have access to.

References

  1. Kyle Schmittle, Alemdar Islamoglu, Paul Shunk, Justin Albrecht. (2023, April 27). Lookout Discovers Android Spyware Tied to Iranian Police Targeting Minorities: BouldSpy. Retrieved July 21, 2023.
  2. T. Bao, J. Lu. (2020, April 14). Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020.
  3. Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.
  4. I. Beer. (2019, August 29). Implant Teardown. Retrieved June 2, 2020.
  5. Melikov, D. (2024, April 11). LightSpy Returns: Renewed Espionage Campaign Targets Southern Asia, Possibly India. Retrieved January 14, 2025.
  6. Dmitry Bestuzhev. (2025, April 7). The Coordinated Kill Switch: LightSpy's iOS Destructive Plugin Architecture Manages Device Disablement. Retrieved April 14, 2025.
  7. ThreatFabric. (2024, October 29). LightSpy: Implant for iOS. Retrieved January 30, 2025.
  1. ThreatFabric. (2023, October 2). LightSpy mAPT Mobile Payment System Attack. Retrieved January 17, 2025.
  2. Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.
  3. Mike Murray. (2017, April 3). Pegasus for Android: the other side of the story emerges. Retrieved April 16, 2017.
  4. Nell Campbell. (2018, February 27). RedDrop: the blackmailing mobile malware family lurking in app stores. Retrieved November 17, 2024.
  5. Trend Micro. (2022, January 25). TianySpy Malware Uses Smishing Disguised as Message From Telco. Retrieved January 11, 2023.
  6. P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020.
  7. Android. (n.d.). TelephonyManager. Retrieved December 21, 2016.