System Information Discovery

An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, and architecture.

On Android, much of this information is programmatically accessible to applications through the android.os.Build class.[1]

On iOS, techniques exist for applications to programmatically access this information.[2]

ID: T1426
Sub-techniques:  No sub-techniques
Tactic Type: Post-Adversary Device Access
Tactic: Discovery
Platforms: Android, iOS
Version: 1.1
Created: 25 October 2017
Last Modified: 20 November 2019

Procedure Examples

Name Description
Android/Chuli.A

Android/Chuli.A gathered system information including phone number, OS version, phone model, and SDK version.[6]

ANDROIDOS_ANSERVER.A

ANDROIDOS_ANSERVER.A gathers the device OS version, device build version, manufacturer, and model.[8]

Anubis

Anubis can collect the device’s ID.[17]

Cerberus

Cerberus can collect device information, such as the default SMS app and device locale.[22][23]

Corona Updates

Corona Updates can collect various pieces of device information, including OS version, phone model, and manufacturer.[18]

Dvmap

Dvmap checks the Android version to determine which system library to patch.[15]

EventBot

EventBot can collect system information such as OS version, device vendor, and the type of screen lock that is active on the device.[21]

GolfSpy

GolfSpy can obtain the device’s battery level, network operator, connection information, sensor information, and information about the device’s storage and memory.[16]

Gustuff

Gustuff gathers information about the device, including the default SMS application, if SafetyNet is enabled, the battery level, the operating system version, and if the malware has elevated permissions.[11]

INSOMNIA

INSOMNIA can collect the device’s name, serial number, iOS version, total disk space, and free disk space.[20]

KeyRaider

Most KeyRaider samples search to find the Apple account's username, password and device's GUID in data being transferred.[5]

Monokle

Monokle queries the device for metadata such as make, model, and power levels.[12]

Pallas

Pallas queries the device for metadata, such as device ID, OS version, and the number of cameras.[9]

Pegasus for iOS

Pegasus for iOS monitors the victim for status and disables other access to the phone by other jailbreaking software.[7]

RedDrop

RedDrop exfiltrates details of the victim device operating system and manufacturer.[3]

Riltok

Riltok can query various details about the device, including phone number, country, mobile operator, model, root availability, and operating system version.[10]

Rotexy

Rotexy collects information about the compromised device, including phone number, network operator, OS version, device model, and the device registration country.[13]

RuMMS

RuMMS gathers device model and operating system version information and transmits it to a command and control server.[4]

TrickMo

TrickMo can collect device information such as network operator, model, brand, and OS version.[19]

ViceLeaker

ViceLeaker collects device information, including the device model and OS version.[14]

Mitigations

Mitigation Description
Application Vetting

App vetting procedures can search for apps that use the android.os.Build class, but these procedures could potentially be evaded and are likely not practical in this case, as many apps are likely to use this functionality as part of their legitimate behavior.

References