Process Discovery

On Android versions prior to 5, applications can observe information about other processes that are running through methods in the ActivityManager class. On Android versions prior to 7, applications can obtain this information by executing the ps command, or by examining the /proc directory. Starting in Android version 7, use of the Linux kernel's hidepid feature prevents applications (without escalated privileges) from accessing this information [1].

ID: T1424
Sub-techniques:  No sub-techniques
Tactic Type: Post-Adversary Device Access
Tactic: Discovery
Platforms: Android
Version: 1.0
Created: 25 October 2017
Last Modified: 17 October 2018

Procedure Examples

Name Description
Agent Smith

Agent Smith checks if a targeted application is running in user-space prior to infection.[2]

GolfSpy

GolfSpy can obtain a list of running processes.[3]

Rotexy

Rotexy collects information about running processes.[4]

WolfRAT

WolfRAT uses dumpsys to determine if certain applications are running.[5]

Mitigations

Mitigation Description
Application Vetting

Application vetting techniques could be used to attempt to identify applications with this behavior.

Use Recent OS Version

As stated in the technical description, Android 7 and above prevent applications from accessing this information.

References