1. Home
  2. Techniques
  3. Mobile
  4. System Information Discovery

System Information Discovery

Adversaries may attempt to get detailed information about a device’s operating system and hardware, including versions, patches, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not to fully infects the target and/or attempts specific actions.

On Android, much of this information is programmatically accessible to applications through the android.os.Build class. [1] iOS is much more restrictive with what information is visible to applications. Typically, applications will only be able to query the device model and which version of iOS it is running.

ID: T1426
Sub-techniques:  No sub-techniques
Tactic Type: Post-Adversary Device Access
Tactic: Discovery
Platforms: Android, iOS
MTC ID: APP-12
Version: 1.2
Created: 25 October 2017
Last Modified: 11 April 2022
Version Permalink

Procedure Examples

ID Name Description
S1061 AbstractEmu

AbstractEmu can collect device information such as manufacturer, model, version, serial number, and telephone number.[2]
S1095 AhRat

AhRat can obtain device info such as manufacturer, device ID, OS version, and country.[3]
S0525 Android/AdDisplay.Ashas

Android/AdDisplay.Ashas can collect information about the device including device type, OS version, language, free storage space, battery status, device root, and if developer mode is enabled.[4]
S0304 Android/Chuli.A

Android/Chuli.A gathered system information including phone number, OS version, phone model, and SDK version.[5]
S0310 ANDROIDOS_ANSERVER.A

ANDROIDOS_ANSERVER.A gathers the device OS version, device build version, manufacturer, and model.[6]
S0422 Anubis

Anubis can collect the device’s ID.[7]
S0540 Asacub

Asacub can collect various pieces of device information, including device model and OS version.[8]
S1079 BOULDSPY

BOULDSPY can collect system information, such as Android version and device identifiers.[9]
S1094 BRATA

BRATA can retrieve Android system and hardware information.[10]
C0033 C0033

During C0033, PROMETHIUM used StrongPity to collect the device’s information, such as SIM serial number, SIM serial number, etc.[11]

S0529 CarbonSteal

CarbonSteal has gathered device metadata, including model, manufacturer, SD card size, disk usage, memory, CPU, and serial number.[12]
S0480 Cerberus

Cerberus can collect device information, such as the default SMS app and device locale.[13][14]
S1083 Chameleon

Chameleon can gather basic device information such as version, model, root status, and country.[15]
S0555 CHEMISTGAMES

CHEMISTGAMES has fingerprinted devices to uniquely identify them.[16]
S0425 Corona Updates

Corona Updates can collect various pieces of device information, including OS version, phone model, and manufacturer.[17]

S0505 Desert Scorpion

Desert Scorpion can collect device metadata and can check if the device is rooted.[18]
S0550 DoubleAgent

DoubleAgent has accessed common system information.[12]
S0420 Dvmap

Dvmap checks the Android version to determine which system library to patch.[19]
S0507 eSurv

eSurv’s iOS version can collect device information.[20]
S0478 EventBot

EventBot can collect system information such as OS version, device vendor, and the type of screen lock that is active on the device.[21]
S0522 Exobot

Exobot can obtain the device’s country and carrier name.[22]
S0509 FakeSpy

FakeSpy can collect device information, including OS version and device model.[23]
S0577 FrozenCell

FrozenCell has gathered the device manufacturer, model, and serial number.[24]
S0535 Golden Cup

Golden Cup can collect various pieces of device information, such as serial number and product information.[25]
S0551 GoldenEagle

GoldenEagle has checked for system root.[12]
S0421 GolfSpy

GolfSpy can obtain the device’s battery level, network operator, connection information, sensor information, and information about the device’s storage and memory.[26]
S0536 GPlayed

GPlayed can collect the device’s model, country, and Android version.[27]
S0406 Gustuff

Gustuff gathers information about the device, including the default SMS application, if SafetyNet is enabled, the battery level, the operating system version, and if the malware has elevated permissions.[28]
S0544 HenBox

HenBox can collect device information and can check if the device is running MIUI on a Xiaomi device.[29]
S1077 Hornbill

Hornbill can collect the device ID, model, manufacturer, and Android version. It can also check available storage space and if the screen is locked.[30]
S0463 INSOMNIA

INSOMNIA can collect the device’s name, serial number, iOS version, total disk space, and free disk space.[31]

S0288 KeyRaider

Most KeyRaider samples search to find the Apple account's username, password and device's GUID in data being transferred.[32]
S0485 Mandrake

Mandrake can access device configuration information and status, including Android version, battery level, device model, country, and SIM operator.[33]
S0407 Monokle

Monokle queries the device for metadata such as make, model, and power levels.[34]
S0399 Pallas

Pallas queries the device for metadata, such as device ID, OS version, and the number of cameras.[35]
S0289 Pegasus for iOS

Pegasus for iOS monitors the victim for status and disables other access to the phone by other jailbreaking software.[36]
S1126 Phenakite

Phenakite can collect device metadata.[37]

S0326 RedDrop

RedDrop exfiltrates details of the victim device operating system and manufacturer.[38]
S0403 Riltok

Riltok can query various details about the device, including phone number, country, mobile operator, model, root availability, and operating system version.[39]
S0411 Rotexy

Rotexy collects information about the compromised device, including phone number, network operator, OS version, device model, and the device registration country.[40]
S0313 RuMMS

RuMMS gathers device model and operating system version information and transmits it to a command and control server.[41]
S1062 S.O.V.A.

S.O.V.A. can gather data about the device.[42]
S1082 Sunbird

Sunbird can exfiltrate the victim device ID, model, manufacturer, and Android version.[30]
S1056 TianySpy

TianySpy can gather device UDIDs.[43]

S0558 Tiktok Pro

Tiktok Pro can check the device’s battery status.[44]
S0427 TrickMo

TrickMo can collect device information such as network operator, model, brand, and OS version.[45]
S0418 ViceLeaker

ViceLeaker collects device information, including the device model and OS version.[46]
S0506 ViperRAT

ViperRAT can collect system information, including brand, manufacturer, and serial number.[47]
G0112 Windshift

Windshift has included system information enumeration in the malicious apps deployed as part of Operation BULL and Operation ROCK.[48]
S0318 XLoader for Android

XLoader for Android collects the device’s Android ID and serial number.[49]
S0490 XLoader for iOS

XLoader for iOS can obtain the device’s UDID, version number, and product number.[49]
S0311 YiSpecter

YiSpecter has collected the device UUID.[50]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

System information discovery can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.

References

  1. Android. (n.d.). Build. Retrieved December 21, 2016.
  2. P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.
  3. Lukas Stefanko. (2023, May 23). Android app breaking bad: From legitimate screen recording to file exfiltration within a year. Retrieved December 18, 2023.
  4. L. Stefanko. (2019, October 24). Tracking down the developer of Android adware affecting millions of users. Retrieved October 29, 2020.
  5. Costin Raiu, Denis Maslennikov, Kurt Baumgartner. (2013, March 26). Android Trojan Found in Targeted Attack. Retrieved December 23, 2016.
  6. Karl Dominguez. (2011, September 27). ANDROIDOS_ANSERVER.A. Retrieved November 30, 2018.
  7. M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved September 25, 2024.
  8. T. Shishkova. (2018, August 28). The rise of mobile banker Asacub. Retrieved December 14, 2020.
  9. Kyle Schmittle, Alemdar Islamoglu, Paul Shunk, Justin Albrecht. (2023, April 27). Lookout Discovers Android Spyware Tied to Iranian Police Targeting Minorities: BouldSpy. Retrieved July 21, 2023.
  10. Securelist. (2019, August 29). Fully equipped Spying Android RAT from Brazil: BRATA. Retrieved December 18, 2023.
  11. Stefanko, L. (2023, January 10). StrongPity espionage campaign targeting Android users. Retrieved January 31, 2023.
  12. A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.
  13. Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020.
  14. A. Hazum, B. Melnykov, C. Efrati, D. Golubenko, I. Wernik, L. Kuperman, O. Mana. (2020, April 29). First seen in the wild – Malware uses Corporate MDM as attack vector. Retrieved June 26, 2020.
  15. Cyble Research & Intelligence Labs. (2023, April 13). Banking Trojan targeting mobile users in Australia and Poland. Retrieved August 16, 2023.
  16. B. Leonard, N. Mehta. (2019, November 21). The Secret Life of Sandworms. Retrieved December 31, 2020.
  17. T. Bao, J. Lu. (2020, April 14). Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020.
  18. A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020.
  19. R. Unuchek. (2017, June 8). Dvmap: the first Android malware with code injection. Retrieved December 10, 2019.
  20. A. Bauer. (2019, April 8). Lookout discovers phishing sites distributing new iOS and Android surveillanceware. Retrieved September 11, 2020.
  21. D. Frank, L. Rochberger, Y. Rimmer, A. Dahan. (2020, April 30). EventBot: A New Mobile Banking Trojan is Born. Retrieved June 26, 2020.
  22. Threat Fabric. (2017, February). Exobot - Android banking Trojan on the rise. Retrieved October 29, 2020.
  23. O. Almkias. (2020, July 1). FakeSpy Masquerades as Postal Service Apps Around the World. Retrieved September 15, 2020.
  24. Michael Flossman. (2017, October 5). FrozenCell: Multi-platform surveillance campaign against Palestinians. Retrieved November 11, 2020.
  25. R. Iarchy, E. Rynkowski. (2018, July 5). GoldenCup: New Cyber Threat Targeting World Cup Fans. Retrieved October 29, 2020.
  1. E. Xu, G. Guo. (2019, June 28). Mobile Cyberespionage Campaign ‘Bouncing Golf’ Affects Middle East. Retrieved January 27, 2020.
  2. V. Ventura. (2018, October 11). GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020.
  3. Vitor Ventura. (2019, April 9). Gustuff banking botnet targets Australia . Retrieved September 3, 2019.
  4. A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019.
  5. Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.
  6. I. Beer. (2019, August 29). Implant Teardown. Retrieved June 2, 2020.
  7. Claud Xiao. (2015, August 30). KeyRaider: iOS Malware Steals Over 225,000 Apple Accounts to Create Free App Utopia. Retrieved December 12, 2016.
  8. R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020.
  9. Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.
  10. Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.
  11. Lookout. (2016). Technical Analysis of Pegasus Spyware. Retrieved December 12, 2016.
  12. Flossman, M., Scott, M. (2021, April). Technical Paper // Taking Action Against Arid Viper. Retrieved March 4, 2024.
  13. Nell Campbell. (2018, February 27). RedDrop: the blackmailing mobile malware family lurking in app stores. Retrieved September 18, 2018.
  14. Tatyana Shishkova. (2019, June 25). Riltok mobile Trojan: A banker with global reach. Retrieved August 7, 2019.
  15. T. Shishkova, L. Pikman. (2018, November 22). The Rotexy mobile Trojan – banker and ransomware. Retrieved September 23, 2019.
  16. Wu Zhou, Deyu Hu, Jimmy Su, Yong Kang. (2016, April 26). RUMMS: THE LATEST FAMILY OF ANDROID MALWARE ATTACKING USERS IN RUSSIA VIA SMS PHISHING. Retrieved February 6, 2017.
  17. ThreatFabric. (2021, September 9). S.O.V.A. - A new Android Banking trojan with fowl intentions. Retrieved February 6, 2023.
  18. Trend Micro. (2022, January 25). TianySpy Malware Uses Smishing Disguised as Message From Telco. Retrieved January 11, 2023.
  19. S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021.
  20. P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020.
  21. GReAT. (2019, June 26). ViceLeaker Operation: mobile espionage targeting Middle East. Retrieved November 21, 2019.
  22. M. Flossman. (2017, February 16). ViperRAT: The mobile APT targeting the Israeli Defense Force that should be on your radar. Retrieved September 11, 2020.
  23. The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021.
  24. Hiroaki, H., Wu, L., Wu, L.. (2019, April 2). XLoader Disguises as Android Apps, Has FakeSpy Links. Retrieved July 20, 2020.
  25. Claud Xiao. (2015, October 4). YiSpecter: First iOS Malware That Attacks Non-jailbroken Apple iOS Devices by Abusing Private APIs. Retrieved March 3, 2023.