Access Contact List

An adversary could call standard operating system APIs from a malicious application to gather contact list (i.e., address book) data, or with escalated privileges could directly access files containing contact list data.

ID: T1432
Tactic Type: Post-Adversary Device Access
Tactic: Collection
Platform: Android, iOS
MTC ID: APP-13
Version: 1.0

Procedure Examples

Name Description
Adups

Adups transmitted contact lists.[2]

Android/Chuli.A

Android/Chuli.A stole contact list data stored both on the the phone and the SIM card.[7]

AndroRAT

AndroRAT collects contact list information.[10]

Charger

Charger steals contacts from the victim user's device.[8]

Exodus

Exodus Two can download the address book. [13]

FlexiSpy

FlexiSpy can collect device contacts.[1]

Gustuff

Gustuff can collect the contact list. [14]

Monokle

Monokle can retrieve the device's contact list.[15]

Pallas

Pallas accesses the device contact list.[11]

Pegasus for Android

Pegasus for Android accesses contact list information.[5]

Pegasus for iOS

Pegasus for iOS gathers contacts from the system by dumping the victim's address book.[3]

Riltok

Riltok can access and upload the device's contact list to the command and control server.[12]

Rotexy

Rotexy can access and upload the contacts list to the command and control server.[16]

SpyDealer

SpyDealer harvests contact lists from victims.[6]

SpyNote RAT

SpyNote RAT can view contacts.[9]

Stealth Mango

Stealth Mango uploads contact lists for various third-party applications such as Yahoo, AIM, GoogleTalk, Skype, QQ, and others.[4]

Mitigations

Mitigation Description
Application Vetting

On Android, accessing the device contact list requires that the app hold the READ_CONTACTS permission. Apps that request this permission could be closely scrutinized to ensure that the request is appropriate. On iOS, the app vetting process can determine whether apps access the device contact list, with extra scrutiny applied to any that do so.

Detection

On both Android (6.0 and up) and iOS, the user can view which applications have permission to access contact list information through the device settings screen, and the user can choose to revoke the permissions.

References