Access Contact List

An adversary could call standard operating system APIs from a malicious application to gather contact list (i.e., address book) data, or with escalated privileges could directly access files containing contact list data.

ID: T1432

Tactic Type:  Post-Adversary Device Access

Tactic: Collection

Platform:  Android, iOS

MTC ID:  APP-13

Version: 1.0

Mitigations

Mitigation Description
Application Vetting On Android, accessing the device contact list requires that the app hold the READ_CONTACTS permission. Apps that request this permission could be closely scrutinized to ensure that the request is appropriate. On iOS, the app vetting process can determine whether apps access the device contact list, with extra scrutiny applied to any that do so.

Examples

Name Description
Adups

Adups transmitted contact lists.[1]

Android/Chuli.A

Android/Chuli.A stole contact list data stored both on the the phone and the SIM card.[2]

AndroRAT

AndroRAT collects contact list information.[3]

Charger

Charger steals contacts from the victim user's device.[4]

Pallas

Pallas accesses the device contact list.[5]

Pegasus for Android

Pegasus for Android accesses contact list information.[6]

Pegasus for iOS

Pegasus for iOS gathers contacts from the system by dumping the victim's address book.[7]

SpyDealer

SpyDealer harvests contact lists from victims.[8]

SpyNote RAT

SpyNote RAT can view contacts.[9]

Stealth Mango

Stealth Mango uploads contact lists for various third-party applications such as Yahoo, AIM, GoogleTalk, Skype, QQ, and others.[10]

Detection

On both Android (6.0 and up) and iOS, the user can view which applications have permission to access contact list information through the device settings screen, and the user can choose to revoke the permissions.

References