Process Discovery

On Android versions prior to 5, applications can observe information about other processes that are running through methods in the ActivityManager class. On Android versions prior to 7, applications can obtain this information by executing the ps command, or by examining the /proc directory. Starting in Android version 7, use of the Linux kernel's hidepid feature prevents applications (without escalated privileges) from accessing this information [1].

ID: T1424

Tactic Type:  Post-Adversary Device Access

Tactic: Discovery

Platform:  Android

Version: 1.0


Application VettingApplication vetting techniques could be used to attempt to identify applications with this behavior.
Use Recent OS VersionAs stated in the technical description, Android 7 and above prevent applications from accessing this information.