Location Tracking

An adversary could use a malicious or exploited application to surreptitiously track the device's physical location through use of standard operating system APIs.

ID: T1430

Tactic Type:  Post-Adversary Device Access

Tactic: Collection

Platform:  Android, iOS

MTC ID:  APP-24

Version: 1.0

Mitigations

Mitigation Description
Application Vetting On Android, applications must request the ACCESS_COARSE_LOCATION or ACCESS_FINE_LOCATION permission to access the device's physical location. Extra scrutiny could be given to applications that request these permissions. On iOS, calls to the relevant APIs could be detected during the vetting process.

Examples

Name Description
Adups

Adups transmitted location information.[1]

Android/Chuli.A

Android/Chuli.A stole geo-location data.[2]

AndroRAT

AndroRAT tracks the device location.[3]

Charger

Charger checks the local settings of the device and does not run its malicious logic if the device is located in Ukraine, Russia, or Belarus.[4]

FinFisher

FinFisher tracks the latitude and longitude coordinates of the infected device.[5]

Pallas

Pallas tracks the latitude and longitude coordinates of the infected device.[5]

Pegasus for iOS

Pegasus for iOS update and sends the location of the phone.[6]

PJApps

PJApps has the capability to collect and leak the victim's location.[3]

RCSAndroid

RCSAndroid can record location.[7]

SpyDealer

SpyDealer harvests location data from victims..[8]

SpyNote RAT

SpyNote RAT collects the device's location.[9]

Stealth Mango

Stealth Mango can perform GPS location tracking as well as capturing coordinates as when an SMS message or call is received.[10]

Tangelo

Tangelo contains functionality to gather GPS coordinates.[10]

X-Agent for Android

X-Agent for Android was believed to have been used to obtain locational data of Ukrainian artillery forces.[11]

Detection

On both Android (6.0 and up) and iOS, the user can view which applications have permission to access device location through the device settings screen, and the user can choose to revoke the permissions.

References