T1421 System Network Connections Discovery
Adversaries may attempt to get a listing of network connections to or from the compromised device they are currently accessing or from remote systems by querying for information over the network.
This is typically accomplished by utilizing device APIs to collect information about nearby networks, such as Wi-Fi, Bluetooth, and cellular tower connections. On Android, this can be done by querying the respective APIs:
-
WifiInfofor information about the current Wi-Fi connection, as well as nearby Wi-Fi networks. Querying theWiFiInfoAPI requires the application to hold theACCESS_FINE_LOCATIONpermission. -
BluetoothAdapterfor information about Bluetooth devices, which also requires the application to hold several permissions granted by the user at runtime. -
For Android versions prior to Q, applications can use the
TelephonyManager.getNeighboringCellInfo()method. For Q and later, applications can use theTelephonyManager.getAllCellInfo()method. Both methods require the application hold theACCESS_FINE_LOCATIONpermission.
| Item | Value |
|---|---|
| ID | T1421 |
| Sub-techniques | |
| Tactics | TA0032 |
| Platforms | Android |
| Version | 2.1 |
| Created | 25 October 2017 |
| Last Modified | 31 March 2022 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| S0405 | Exodus | Exodus Two collects a list of nearby base stations.2 |
| S0509 | FakeSpy | FakeSpy can collect the device’s network information.4 |
| S0408 | FlexiSpy | FlexiSpy can collect a list of known Wi-Fi access points.1 |
| S0407 | Monokle | Monokle can retrieve nearby cell tower and Wi-Fi network information.5 |
| S0399 | Pallas | Pallas gathers and exfiltrates data about nearby Wi-Fi access points.6 |
| S0289 | Pegasus for iOS | Pegasus for iOS monitors the connection state and tracks which types of networks the phone is connected to, potentially to determine the bandwidth and ability to send full data across the network.7 |
| S0506 | ViperRAT | ViperRAT can collect the device’s cell tower information.3 |
References
-
FlexiSpy. (n.d.). FlexiSpy Monitoring Features. Retrieved September 4, 2019. ↩
-
Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019. ↩
-
M. Flossman. (2017, February 16). ViperRAT: The mobile APT targeting the Israeli Defense Force that should be on your radar. Retrieved September 11, 2020. ↩
-
O. Almkias. (2020, July 1). FakeSpy Masquerades as Postal Service Apps Around the World. Retrieved September 15, 2020. ↩
-
Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019. ↩
-
Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018. ↩
-
Lookout. (2016). Technical Analysis of Pegasus Spyware. Retrieved December 12, 2016. ↩