Skip to content

T1424 Process Discovery

Adversaries may attempt to get information about running processes on a device. Information obtained could be used to gain an understanding of common software/applications running on devices within a network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

Recent Android security enhancements have made it more difficult to obtain a list of running processes. On Android 7 and later, there is no way for an application to obtain the process list without abusing elevated privileges. This is due to the Android kernel utilizing the hidepid mount feature. Prior to Android 7, applications could utilize the ps command or examine the /proc directory on the device.1

In iOS, applications have previously been able to use the sysctl command to obtain a list of running processes. This functionality has been removed in later iOS versions.

Item Value
ID T1424
Sub-techniques
Tactics TA0032
Platforms Android, iOS
Version 2.1
Created 25 October 2017
Last Modified 24 October 2025

Procedure Examples

ID Name Description
S0440 Agent Smith Agent Smith checks if a targeted application is running in user-space prior to infection.7
S0422 Anubis Anubis can collect a list of running processes.4
S1215 Binary Validator Binary Validator has obtained a list of running processes.13
S1225 CherryBlos CherryBlos has used the Accessibility Service to monitor when a wallet application has launched.2
S0421 GolfSpy GolfSpy can obtain a list of running processes.14
S0544 HenBox HenBox can obtain a list of running processes.10
S1185 LightSpy LightSpy has collected a list of running processes.98
C0054 Operation Triangulation During Operation Triangulation, the threat actors have obtained a list of processes.5
S0411 Rotexy Rotexy collects information about running processes.11
S1055 SharkBot SharkBot can use Accessibility Services to detect which process is in the foreground.3
S1216 TriangleDB TriangleDB has collected a list of running processes.5
S0489 WolfRAT WolfRAT uses dumpsys to determine if certain applications are running.12
S0311 YiSpecter YiSpecter has collected information about running processes.6

Mitigations

ID Mitigation Description
M1002 Attestation Attestation can typically detect rooted devices. For MDM-enrolled devices, action can be taken if a device fails an attestation check.
M1006 Use Recent OS Version Android 7 and later iOS versions introduced changes that prevent applications from performing Process Discovery without elevated privileges.

References

  1. Various. (2016, March 31). Overly restrictive SELinux filesystem permissions in Android N. Retrieved December 21, 2016. 

  2. Trend Micro Research. (2023, July 28). Related CherryBlos and FakeTrade Android Malware Involved in Scam Campaigns. Retrieved March 28, 2025. 

  3. RIFT: Research and Intelligence Fusion Team. (2022, March 3). SharkBot: a “new” generation Android banking Trojan being distributed on Google Play Store. Retrieved January 18, 2023. 

  4. zLabs. (2019, November 12). How Zimperium’s z9 Detected Unknown Mobile Malware Overlooked by the AV Industry . Retrieved January 20, 2021. 

  5. Kucherin, G., et al. (2023, June 21). Dissecting TriangleDB, a Triangulation spyware implant. Retrieved April 18, 2024. 

  6. Claud Xiao. (2015, October 4). YiSpecter: First iOS Malware That Attacks Non-jailbroken Apple iOS Devices by Abusing Private APIs. Retrieved March 3, 2023. 

  7. A. Hazum, F. He, I. Marom, B. Melnykov, A. Polkovnichenko. (2019, July 10). Agent Smith: A New Species of Mobile Malware. Retrieved May 7, 2020. 

  8. Dmitry Bestuzhev. (2025, April 7). The Coordinated Kill Switch: LightSpy’s iOS Destructive Plugin Architecture Manages Device Disablement. Retrieved April 14, 2025. 

  9. ThreatFabric. (2024, October 29). LightSpy: Implant for iOS. Retrieved January 30, 2025. 

  10. A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019. 

  11. T. Shishkova, L. Pikman. (2018, November 22). The Rotexy mobile Trojan – banker and ransomware. Retrieved September 23, 2019. 

  12. W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19). The wolf is back… . Retrieved July 20, 2020. 

  13. Kucherin, G., et al. (2023, October 23). The outstanding stealth of Operation Triangulation. Retrieved April 18, 2024. 

  14. E. Xu, G. Guo. (2019, June 28). Mobile Cyberespionage Campaign ‘Bouncing Golf’ Affects Middle East. Retrieved January 27, 2020.