Skip to content

T1421 System Network Connections Discovery

Adversaries may attempt to get a listing of network connections to or from the compromised device they are currently accessing or from remote systems by querying for information over the network.

This is typically accomplished by utilizing device APIs to collect information about nearby networks, such as Wi-Fi, Bluetooth, and cellular tower connections. On Android, this can be done by querying the respective APIs:

  • WifiInfo for information about the current Wi-Fi connection, as well as nearby Wi-Fi networks. Querying the WiFiInfo API requires the application to hold the ACCESS_FINE_LOCATION permission.

  • BluetoothAdapter for information about Bluetooth devices, which also requires the application to hold several permissions granted by the user at runtime.

  • For Android versions prior to Q, applications can use the TelephonyManager.getNeighboringCellInfo() method. For Q and later, applications can use the TelephonyManager.getAllCellInfo() method. Both methods require the application hold the ACCESS_FINE_LOCATION permission.

Item Value
ID T1421
Sub-techniques
Tactics TA0032
Platforms Android
Version 2.1
Created 25 October 2017
Last Modified 24 October 2025

Procedure Examples

ID Name Description
C0033 C0033 During C0033, PROMETHIUM used StrongPity to collect information regarding available Wi-Fi networks.13
S0405 Exodus Exodus Two collects a list of nearby base stations.11
S0509 FakeSpy FakeSpy can collect the device’s network information.10
S0408 FlexiSpy FlexiSpy can collect a list of known Wi-Fi access points.1
S1185 LightSpy LightSpy has collected a list of cellular networks and connected Wi-Fi history using a LAN scanner based on MMLanScan.56897
S0407 Monokle Monokle can retrieve nearby cell tower and Wi-Fi network information.2
S0399 Pallas Pallas gathers and exfiltrates data about nearby Wi-Fi access points.4
S0289 Pegasus for iOS Pegasus for iOS monitors the connection state and tracks which types of networks the phone is connected to, potentially to determine the bandwidth and ability to send full data across the network.3
S0506 ViperRAT ViperRAT can collect the device’s cell tower information.12

References

  1. FlexiSpy. (n.d.). FlexiSpy Monitoring Features. Retrieved September 4, 2019. 

  2. Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019. 

  3. Lookout. (2016). Technical Analysis of Pegasus Spyware. Retrieved December 12, 2016. 

  4. Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018. 

  5. Firsh, A., et al. (2020, March 26). iOS exploit chain deploys LightSpy feature-rich malware. Retrieved January 13, 2025. 

  6. Melikov, D. (2024, April 11). LightSpy Returns: Renewed Espionage Campaign Targets Southern Asia, Possibly India. Retrieved January 14, 2025. 

  7. Shoshin, P. (2020, March 27). LightSpy spyware targets iPhone users in Hong Kong. Retrieved February 12, 2025. 

  8. ThreatFabric. (2023, October 2). LightSpy mAPT Mobile Payment System Attack. Retrieved January 17, 2025. 

  9. ThreatFabric. (2024, October 29). LightSpy: Implant for iOS. Retrieved January 30, 2025. 

  10. O. Almkias. (2020, July 1). FakeSpy Masquerades as Postal Service Apps Around the World. Retrieved September 15, 2020. 

  11. Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved November 17, 2024. 

  12. M. Flossman. (2017, February 16). ViperRAT: The mobile APT targeting the Israeli Defense Force that should be on your radar. Retrieved September 11, 2020. 

  13. Dong, Z. et al. (2021, July 21). StrongPity APT Group Deploys Android Malware for the First Time. Retrieved March 19, 2023.