Location Tracking

An adversary could use a malicious or exploited application to surreptitiously track the device's physical location through use of standard operating system APIs.

ID: T1430
Tactic Type: Post-Adversary Device Access
Tactic: Collection, Discovery
Platform: Android, iOS
MTC ID: APP-24
Version: 1.0

Procedure Examples

Name Description
Adups

Adups transmitted location information.[3]

Android/Chuli.A

Android/Chuli.A stole geo-location data.[10]

AndroRAT

AndroRAT tracks the device location.[8]

Charger

Charger checks the local settings of the device and does not run its malicious logic if the device is located in Ukraine, Russia, or Belarus.[5]

Exodus

Exodus Two can extract the GPS coordinates of the device.[13]

FinFisher

FinFisher tracks the latitude and longitude coordinates of the infected device.[12]

FlexiSpy

FlexiSpy can track the device's location.[1]

Monokle

Monokle can track the device's location.[14]

Pallas

Pallas tracks the latitude and longitude coordinates of the infected device.[12]

Pegasus for iOS

Pegasus for iOS update and sends the location of the phone.[6]

PJApps

PJApps has the capability to collect and leak the victim's location.[8]

RCSAndroid

RCSAndroid can record location.[7]

Skygofree

Skygofree can track the device's location.[15]

SpyDealer

SpyDealer harvests location data from victims.[11]

SpyNote RAT

SpyNote RAT collects the device's location.[4]

Stealth Mango

Stealth Mango can perform GPS location tracking as well as capturing coordinates as when an SMS message or call is received.[2]

Tangelo

Tangelo contains functionality to gather GPS coordinates.[2]

X-Agent for Android

X-Agent for Android was believed to have been used to obtain locational data of Ukrainian artillery forces.[9]

Mitigations

Mitigation Description
Application Vetting

On Android, applications must request the ACCESS_COARSE_LOCATION or ACCESS_FINE_LOCATION permission to access the device's physical location. Extra scrutiny could be given to applications that request these permissions. On iOS, calls to the relevant APIs could be detected during the vetting process.

Detection

On both Android (6.0 and up) and iOS, the user can view which applications have permission to access device location through the device settings screen, and the user can choose to revoke the permissions.

References