1. Home
  2. Techniques
  3. Mobile
  4. Process Discovery

Process Discovery

Adversaries may attempt to get information about running processes on a device. Information obtained could be used to gain an understanding of common software/applications running on devices within a network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

Recent Android security enhancements have made it more difficult to obtain a list of running processes. On Android 7 and later, there is no way for an application to obtain the process list without abusing elevated privileges. This is due to the Android kernel utilizing the hidepid mount feature. Prior to Android 7, applications could utilize the ps command or examine the /proc directory on the device.[1]

In iOS, applications have previously been able to use the sysctl command to obtain a list of running processes. This functionality has been removed in later iOS versions.

ID: T1424
Sub-techniques:  No sub-techniques
Tactic Type: Post-Adversary Device Access
Tactic: Discovery
Platforms: Android, iOS
Version: 2.1
Created: 25 October 2017
Last Modified: 24 October 2025
Version Permalink

Procedure Examples

ID Name Description
S0440 Agent Smith

Agent Smith checks if a targeted application is running in user-space prior to infection.[2]

S0422 Anubis

Anubis can collect a list of running processes.[3]
S1215 Binary Validator

Binary Validator has obtained a list of running processes.[4]

S1225 CherryBlos

CherryBlos has used the Accessibility Service to monitor when a wallet application has launched.[5]
S0421 GolfSpy

GolfSpy can obtain a list of running processes.[6]
S0544 HenBox

HenBox can obtain a list of running processes.[7]
S1185 LightSpy

LightSpy has collected a list of running processes.[8][9]

C0054 Operation Triangulation

During Operation Triangulation, the threat actors have obtained a list of processes.[10]

S0411 Rotexy

Rotexy collects information about running processes.[11]
S1055 SharkBot

SharkBot can use Accessibility Services to detect which process is in the foreground.[12]
S1216 TriangleDB

TriangleDB has collected a list of running processes.[10]

S0489 WolfRAT

WolfRAT uses dumpsys to determine if certain applications are running.[13]
S0311 YiSpecter

YiSpecter has collected information about running processes.[14]

Mitigations

ID Mitigation Description
M1002 Attestation

Attestation can typically detect rooted devices. For MDM-enrolled devices, action can be taken if a device fails an attestation check.

M1006 Use Recent OS Version

Android 7 and later iOS versions introduced changes that prevent applications from performing Process Discovery without elevated privileges.

Detection Strategy

ID Name Analytic ID Analytic Description
DET0692 Detection of Process Discovery AN1804

Defender observes an app/package attempting to enumerate running processes by triggering restricted process visibility mechanisms (e.g., repeated queries for running tasks/services, rapid iteration over process identifiers, or access attempts against /proc entries) that are atypical for its declared function and occur without an associated user-facing diagnostic workflow. The detection relies on correlating (1) OS/API calls or shell/system utility execution indicative of process listing or /proc traversal, (2) app privilege context (root, debug build, device owner/profile owner, accessibility/IME status), (3) background execution state, and (4) optional follow-on behaviors consistent with automated discovery (short bursts of local IPC probes, network beacons immediately after enumeration, or rapid targeting of specific high-value package/process names). The analytic should describe what is observable: repeated enumeration signals + privilege context + timing relationship, not the adversary’s intent.
AN1805

Defender observes signals consistent with attempted process listing on iOS where modern OS protections generally prevent broad process enumeration for non-root apps. Detections therefore focus on: (1) feasibility gating via integrity/jailbreak posture, and (2) observable security/log anomalies consistent with attempts to query process tables or restricted system interfaces (e.g., repeated sandbox denials, suspicious sysctl-like access attempts, or abnormal use of private frameworks). Correlate integrity compromise indicators with repeated restricted-access events and optional follow-on behaviors (rapid targeting of specific bundles/services or immediate network beacons) to raise confidence that process discovery is occurring.

References

  1. Various. (2016, March 31). Overly restrictive SELinux filesystem permissions in Android N. Retrieved December 21, 2016.
  2. A. Hazum, F. He, I. Marom, B. Melnykov, A. Polkovnichenko. (2019, July 10). Agent Smith: A New Species of Mobile Malware. Retrieved May 7, 2020.
  3. zLabs. (2019, November 12). How Zimperium’s z9 Detected Unknown Mobile Malware Overlooked by the AV Industry . Retrieved January 20, 2021.
  4. Kucherin, G., et al. (2023, October 23). The outstanding stealth of Operation Triangulation. Retrieved April 18, 2024.
  5. Trend Micro Research. (2023, July 28). Related CherryBlos and FakeTrade Android Malware Involved in Scam Campaigns. Retrieved March 28, 2025.
  6. E. Xu, G. Guo. (2019, June 28). Mobile Cyberespionage Campaign ‘Bouncing Golf’ Affects Middle East. Retrieved January 27, 2020.
  7. A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019.
  1. ThreatFabric. (2024, October 29). LightSpy: Implant for iOS. Retrieved January 30, 2025.
  2. Dmitry Bestuzhev. (2025, April 7). The Coordinated Kill Switch: LightSpy's iOS Destructive Plugin Architecture Manages Device Disablement. Retrieved April 14, 2025.
  3. Kucherin, G., et al. (2023, June 21). Dissecting TriangleDB, a Triangulation spyware implant. Retrieved April 18, 2024.
  4. T. Shishkova, L. Pikman. (2018, November 22). The Rotexy mobile Trojan – banker and ransomware. Retrieved September 23, 2019.
  5. RIFT: Research and Intelligence Fusion Team. (2022, March 3). SharkBot: a “new” generation Android banking Trojan being distributed on Google Play Store. Retrieved January 18, 2023.
  6. W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19). The wolf is back... . Retrieved July 20, 2020.
  7. Claud Xiao. (2015, October 4). YiSpecter: First iOS Malware That Attacks Non-jailbroken Apple iOS Devices by Abusing Private APIs. Retrieved March 3, 2023.