Skip to content

T1422.001 Internet Connection Discovery

Adversaries may check for Internet connectivity on compromised systems. This may be performed during automated discovery and can be accomplished in numerous ways such as using adb shell netstat for Android.1

Adversaries may use the results and responses from these requests to determine if the mobile devices are capable of communicating with adversary-owned C2 servers before attempting to connect to them. The results may also be used to identify routes, redirectors, and proxy servers.

Item Value
ID T1422.001
Sub-techniques T1422.001, T1422.002
Tactics TA0032
Platforms Android, iOS
Version 1.0
Created 20 February 2024
Last Modified 20 February 2024

Procedure Examples

ID Name Description
S1061 AbstractEmu AbstractEmu can collect device IP address and SIM information.3
S0540 Asacub Asacub can collect various pieces of device network configuration information, such as mobile network operator.12
S1079 BOULDSPY BOULDSPY can collect network information, such as IP address, SIM card information, and Wi-Fi information.20
S0529 CarbonSteal CarbonSteal has gathered device metadata, including model, manufacturer, SD card size, disk usage, memory, CPU, and serial number.19
S0425 Corona Updates Corona Updates can collect device network configuration information, such as Wi-Fi SSID and IMSI.15
S0478 EventBot EventBot can gather device network information.18
S0522 Exobot Exobot can obtain the device’s IMEI, phone number, and IP address.13
S0405 Exodus Exodus One queries the device for its IMEI code and the phone number in order to validate the target of a new infection.8
S0509 FakeSpy FakeSpy can collect device networking information, including phone number, IMEI, and IMSI.5
S1093 FlyTrap FlyTrap can collect IP address and network configuration information.10
S1077 Hornbill Hornbill can collect a device’s phone number and IMEI, and can check to see if WiFi is enabled.14
S0463 INSOMNIA INSOMNIA can collect the device’s phone number, ICCID, IMEI, and the currently active network interface (Wi-Fi or cellular).11
S0407 Monokle Monokle checks if the device is connected via Wi-Fi or mobile data.4
S0316 Pegasus for Android Pegasus for Android checks if the device is on Wi-Fi, a cellular network, and is roaming.16
S0326 RedDrop RedDrop collects and exfiltrates information including IMEI, IMSI, MNC, MCC, nearby Wi-Fi networks, and other device and SIM-related info.7
S0545 TERRACOTTA TERRACOTTA has collected the device’s phone number and can check if the active network connection is metered.6
S1056 TianySpy TianySpy can check to see if WiFi is enabled.9
S0427 TrickMo TrickMo can collect device network configuration information such as IMSI, IMEI, and Wi-Fi connection state.2
S0506 ViperRAT ViperRAT can collect network configuration data from the device, including phone number, SIM operator, and network operator.17

Mitigations

ID Mitigation Description
M1009 Encrypt Network Traffic Ensure that traffic is encrypted to reduce adversaries’ ability to intercept, decrypt and manipulate traffic.

References

  1. Pulimet. (2017, September 11). AdbCommands. Retrieved December 14, 2023. 

  2. P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020. 

  3. P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023. 

  4. Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019. 

  5. O. Almkias. (2020, July 1). FakeSpy Masquerades as Postal Service Apps Around the World. Retrieved September 15, 2020. 

  6. Satori Threat Intelligence and Research Team. (2020, August). TERRACOTTA Android Malware: A Technical Study. Retrieved December 18, 2020. 

  7. Nell Campbell. (2018, February 27). RedDrop: the blackmailing mobile malware family lurking in app stores. Retrieved November 17, 2024. 

  8. Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved November 17, 2024. 

  9. Trend Micro. (2022, January 25). TianySpy Malware Uses Smishing Disguised as Message From Telco. Retrieved January 11, 2023. 

  10. Trend Micro. (2021, August 17). FlyTrap Android Malware Is Taking Over Facebook Accounts — Protect Yourself With a Malware Scanner. Retrieved September 28, 2023. 

  11. I. Beer. (2019, August 29). Implant Teardown. Retrieved June 2, 2020. 

  12. T. Shishkova. (2018, August 28). The rise of mobile banker Asacub. Retrieved December 14, 2020. 

  13. Threat Fabric. (2017, February). Exobot - Android banking Trojan on the rise. Retrieved October 29, 2020. 

  14. Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023. 

  15. T. Bao, J. Lu. (2020, April 14). Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020. 

  16. Mike Murray. (2017, April 3). Pegasus for Android: the other side of the story emerges. Retrieved April 16, 2017. 

  17. M. Flossman. (2017, February 16). ViperRAT: The mobile APT targeting the Israeli Defense Force that should be on your radar. Retrieved September 11, 2020. 

  18. D. Frank, L. Rochberger, Y. Rimmer, A. Dahan. (2020, April 30). EventBot: A New Mobile Banking Trojan is Born. Retrieved June 26, 2020. 

  19. A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020. 

  20. Kyle Schmittle, Alemdar Islamoglu, Paul Shunk, Justin Albrecht. (2023, April 27). Lookout Discovers Android Spyware Tied to Iranian Police Targeting Minorities: BouldSpy. Retrieved July 21, 2023.