Skip to content

T1422 System Network Configuration Discovery

Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of devices they access or through information discovery of remote systems.

Adversaries may use the information from System Network Configuration Discovery during automated discovery to shape follow-on behaviors, including determining certain access within the target network and what actions to do next.

On Android, details of onboard network interfaces are accessible to apps through the java.net.NetworkInterface class.1 Previously, the Android TelephonyManager class could be used to gather telephony-related device identifiers, information such as the IMSI, IMEI, and phone number. However, starting with Android 10, only preloaded, carrier, the default SMS, or device and profile owner applications can access the telephony-related device identifiers.2

On iOS, gathering network configuration information is not possible without root access.

Adversaries may use the information from System Network Configuration Discovery during automated discovery to shape follow-on behaviors, including determining certain access within the target network and what actions to do next.

Item Value
ID T1422
Sub-techniques T1422.001, T1422.002
Tactics TA0032
Platforms Android, iOS
Version 2.4
Created 25 October 2017
Last Modified 24 October 2025

Procedure Examples

ID Name Description
S1061 AbstractEmu AbstractEmu can collect device IP address and SIM information.7
S1214 Android/SpyAgent Android/SpyAgent has collected device network information, such as the IMEI and the phone number.38
S0310 ANDROIDOS_ANSERVER.A
ANDROIDOS_ANSERVER.A gathers the device IMEI and IMSI.26
S0292 AndroRAT AndroRAT collects the device’s location through GPS or through network settings.33
G1028 APT-C-23 APT-C-23 can collect the victim’s phone number, device information, IMSI, etc.45
S0540 Asacub Asacub can collect various pieces of device network configuration information, such as mobile network operator.20
S1215 Binary Validator Binary Validator has collected the device’s phone number and IMEI.36
S1079 BOULDSPY BOULDSPY can collect network information, such as IP address, SIM card information, and Wi-Fi information.14
S0432 Bread Bread collects the device’s IMEI, carrier, mobile country code, and mobile network code.24
S0529 CarbonSteal CarbonSteal has collected device network information, including 16-bit GSM Cell Identity, 16-bit Location Area Code, Mobile Country Code (MCC), and Mobile Network Code (MNC). CarbonSteal has also called netcfg to get stats.25
S0425 Corona Updates Corona Updates can collect device network configuration information, such as Wi-Fi SSID and IMSI.30
S0315 DualToy DualToy collects the connected iOS device’s information including IMEI, IMSI, ICCID, serial number and phone number.19
S0478 EventBot EventBot can gather device network information.13
S0522 Exobot Exobot can obtain the device’s IMEI, phone number, and IP address.32
S0405 Exodus Exodus One queries the device for its IMEI code and the phone number in order to validate the target of a new infection.22
S0509 FakeSpy FakeSpy can collect device networking information, including phone number, IMEI, and IMSI.3
S1093 FlyTrap FlyTrap can collect IP address and network configuration information.44
S0577 FrozenCell FrozenCell has collected phone metadata such as cell location, mobile country code (MCC), and mobile network code (MNC).17
S1231 GodFather GodFather has accessed the device’s current cellular network information, including the phone number and the serial number.29
S0535 Golden Cup Golden Cup can collect the device’s phone number and IMSI.16
S0536 GPlayed GPlayed can collect the device’s IMEI, phone number, and country.15
S0406 Gustuff Gustuff gathers the device IMEI to send to the command and control server.28
S1077 Hornbill Hornbill can collect a device’s phone number and IMEI, and can check to see if WiFi is enabled.4
S0463 INSOMNIA INSOMNIA can collect the device’s phone number, ICCID, IMEI, and the currently active network interface (Wi-Fi or cellular).18
S1185 LightSpy LightSpy has collected device information such as IMEI, phone number, MAC address and IP address.23
S0407 Monokle Monokle checks if the device is connected via Wi-Fi or mobile data.27
C0054 Operation Triangulation During Operation Triangulation, the threat actors use the heartbeat beacons from the implant to obtain device information, such as the IMEI, MEID, and the serial number.40
S0316 Pegasus for Android Pegasus for Android checks if the device is on Wi-Fi, a cellular network, and is roaming.39
S0291 PJApps PJApps has the capability to collect and leak the victim’s phone number, mobile device unique identifier (IMEI).21
S1241 RatMilad RatMilad has collected device information such as MAC address, IMEI and phone number.42
S0326 RedDrop RedDrop collects and exfiltrates information including IMEI, IMSI, MNC, MCC, nearby Wi-Fi networks, and other device and SIM-related info.34
S0403 Riltok Riltok can query the device’s IMEI.5
S0411 Rotexy Rotexy collects the device’s IMEI and sends it to the command and control server.35
S0313 RuMMS RuMMS gathers the device phone number and IMEI and transmits them to a command and control server.10
S0324 SpyDealer SpyDealer harvests the device phone number, IMEI, and IMSI.43
S0328 Stealth Mango Stealth Mango collects and uploads information about changes in SIM card or phone numbers on the device.12
S1082 Sunbird Sunbird can exfiltrate phone number and IMEI.4
S0329 Tangelo Tangelo contains functionality to gather cellular IDs.12
S0545 TERRACOTTA TERRACOTTA has collected the device’s phone number and can check if the active network connection is metered.37
S1056 TianySpy TianySpy can check to see if Wi-Fi is enabled.41
S1216 TriangleDB TriangleDB has collected and sent information on the device’s IMEI, MEID, serial number and other device information.40
S0427 TrickMo TrickMo can collect device network configuration information such as IMSI, IMEI, and Wi-Fi connection state.6
S0506 ViperRAT ViperRAT can collect network configuration data from the device, including phone number, SIM operator, and network operator.31
S0489 WolfRAT WolfRAT sends the device’s IMEI with each exfiltration request.8
S0318 XLoader for Android XLoader for Android collects the device’s IMSI and ICCID.11
S0490 XLoader for iOS XLoader for iOS can obtain the device’s IMEM, ICCID, and MEID.11
S0311 YiSpecter YiSpecter has collected compromised device MAC addresses.9

Mitigations

ID Mitigation Description
M1006 Use Recent OS Version Android 10 introduced changes that prevent normal applications from accessing sensitive device identifiers.2

References

  1. Android. (n.d.). NetworkInterface. Retrieved December 21, 2016. 

  2. Android. (n.d.). TelephonyManager. Retrieved December 21, 2016. 

  3. O. Almkias. (2020, July 1). FakeSpy Masquerades as Postal Service Apps Around the World. Retrieved September 15, 2020. 

  4. Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023. 

  5. Tatyana Shishkova. (2019, June 25). Riltok mobile Trojan: A banker with global reach. Retrieved August 7, 2019. 

  6. P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020. 

  7. P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023. 

  8. W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19). The wolf is back… . Retrieved July 20, 2020. 

  9. Claud Xiao. (2015, October 4). YiSpecter: First iOS Malware That Attacks Non-jailbroken Apple iOS Devices by Abusing Private APIs. Retrieved March 3, 2023. 

  10. Wu Zhou, Deyu Hu, Jimmy Su, Yong Kang. (2016, April 26). RUMMS: THE LATEST FAMILY OF ANDROID MALWARE ATTACKING USERS IN RUSSIA VIA SMS PHISHING. Retrieved February 6, 2017. 

  11. Hiroaki, H., Wu, L., Wu, L.. (2019, April 2). XLoader Disguises as Android Apps, Has FakeSpy Links. Retrieved July 20, 2020. 

  12. Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018. 

  13. D. Frank, L. Rochberger, Y. Rimmer, A. Dahan. (2020, April 30). EventBot: A New Mobile Banking Trojan is Born. Retrieved June 26, 2020. 

  14. Kyle Schmittle, Alemdar Islamoglu, Paul Shunk, Justin Albrecht. (2023, April 27). Lookout Discovers Android Spyware Tied to Iranian Police Targeting Minorities: BouldSpy. Retrieved July 21, 2023. 

  15. V. Ventura. (2018, October 11). GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020. 

  16. R. Iarchy, E. Rynkowski. (2018, July 5). GoldenCup: New Cyber Threat Targeting World Cup Fans. Retrieved October 29, 2020. 

  17. Michael Flossman. (2017, October 5). FrozenCell: Multi-platform surveillance campaign against Palestinians. Retrieved November 11, 2020. 

  18. I. Beer. (2019, August 29). Implant Teardown. Retrieved June 2, 2020. 

  19. Claud Xiao. (2016, September 13). DualToy: New Windows Trojan Sideloads Risky Apps to Android and iOS Devices. Retrieved January 24, 2017. 

  20. T. Shishkova. (2018, August 28). The rise of mobile banker Asacub. Retrieved December 14, 2020. 

  21. Lookout. (2016, May 25). 5 active mobile threats spoofing enterprise apps. Retrieved December 19, 2016. 

  22. Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved November 17, 2024. 

  23. Dmitry Bestuzhev. (2025, April 7). The Coordinated Kill Switch: LightSpy’s iOS Destructive Plugin Architecture Manages Device Disablement. Retrieved April 14, 2025. 

  24. A. Guertin, V. Kotov, Android Security & Privacy Team. (2020, January 9). PHA Family Highlights: Bread (and Friends) . Retrieved April 27, 2020. 

  25. A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020. 

  26. Karl Dominguez. (2011, September 27). ANDROIDOS_ANSERVER.A. Retrieved November 30, 2018. 

  27. Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019. 

  28. Vitor Ventura. (2019, April 9). Gustuff banking botnet targets Australia . Retrieved September 3, 2019. 

  29. Merkle Science. (2023, April 25). The Godfather Android Malware: Threat under the lens. Retrieved July 16, 2025. 

  30. T. Bao, J. Lu. (2020, April 14). Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020. 

  31. M. Flossman. (2017, February 16). ViperRAT: The mobile APT targeting the Israeli Defense Force that should be on your radar. Retrieved September 11, 2020. 

  32. Threat Fabric. (2017, February). Exobot - Android banking Trojan on the rise. Retrieved October 29, 2020. 

  33. Dela Paz, R. (2016, October 21). BITTER: a targeted attack against Pakistan. Retrieved March 1, 2024. 

  34. Nell Campbell. (2018, February 27). RedDrop: the blackmailing mobile malware family lurking in app stores. Retrieved November 17, 2024. 

  35. T. Shishkova, L. Pikman. (2018, November 22). The Rotexy mobile Trojan – banker and ransomware. Retrieved September 23, 2019. 

  36. Kucherin, G., et al. (2023, October 23). The outstanding stealth of Operation Triangulation. Retrieved April 18, 2024. 

  37. Satori Threat Intelligence and Research Team. (2020, August). TERRACOTTA Android Malware: A Technical Study. Retrieved December 18, 2020. 

  38. Pak, C. (2019, August 7). MoqHao Related Android Spyware Targeting Japan and Korea Found on Google Play. Retrieved November 13, 2024. 

  39. Mike Murray. (2017, April 3). Pegasus for Android: the other side of the story emerges. Retrieved April 16, 2017. 

  40. Kucherin, G., et al. (2023, June 21). Dissecting TriangleDB, a Triangulation spyware implant. Retrieved April 18, 2024. 

  41. Trend Micro. (2022, January 25). TianySpy Malware Uses Smishing Disguised as Message From Telco. Retrieved January 11, 2023. 

  42. Gupta, N. (2022, October 5). We Smell A RatMilad Android Spyware. Retrieved August 27, 2025. 

  43. Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018. 

  44. Trend Micro. (2021, August 17). FlyTrap Android Malware Is Taking Over Facebook Accounts — Protect Yourself With a Malware Scanner. Retrieved September 28, 2023. 

  45. CheckPoint Research. (2020, February 16). Hamas Android Malware On IDF Soldiers-This is How it Happened. Retrieved November 17, 2024.