Adversaries may utilize standard operating system APIs to gather contact list data. On Android, this can be accomplished using the Contacts Content Provider. On iOS, this can be accomplished using the
If the device has been jailbroken or rooted, an adversary may be able to access the Contact List without the user’s knowledge or approval.
AbstractEmu can grant itself contact list access.
Android/Chuli.A stole contact list data stored both on the the phone and the SIM card.
Corona Updates can collect device contacts.
Desert Scorpion can collect the device’s contact list.
DoubleAgent has accessed the contact list.
FluBot can retrieve the contacts list from an infected device.
Golden Cup can collect the device’s contact list.
GoldenEagle has collected a list of contacts.
|S0316||Pegasus for Android||
Pegasus for Android accesses contact list information.
|S0289||Pegasus for iOS||
Pegasus for iOS gathers contacts from the system by dumping the victim's address book.
|S0539||Red Alert 2.0||
Red Alert 2.0 can collect the device’s contact list.
Riltok can access and upload the device's contact list to the command and control server.
Rotexy can access and upload the contacts list to the command and control server.
SpyNote RAT can view contacts.
Stealth Mango uploads contact lists for various third-party applications such as Yahoo, AIM, GoogleTalk, Skype, QQ, and others.
TangleBot can request permission to view device contacts.
Tiktok Pro can access the device's contact list.
Windshift has included contact list exfiltration in the malicious apps deployed as part of Operation BULL.
Contact list access is an uncommonly needed permission, so users should be instructed to use extra scrutiny when granting access to their contact list.
|ID||Data Source||Data Component|
|DS0041||Application Vetting||Permissions Requests|
|DS0042||User Interface||System Settings|
On both Android and iOS, the user can manage which applications have permission to access the contact list through the device settings screen, revoking the permission if necessary. Application vetting services could look for
android.permission.READ_CONTACTS in an Android application’s manifest, or
NSContactsUsageDescription in an iOS application’s
Info.plist file. Most applications do not need contact list access, so extra scrutiny could be applied to those that request it.