Skip to content

T1424 Process Discovery

On Android versions prior to 5, applications can observe information about other processes that are running through methods in the ActivityManager class. On Android versions prior to 7, applications can obtain this information by executing the ps command, or by examining the /proc directory. Starting in Android version 7, use of the Linux kernel’s hidepid feature prevents applications (without escalated privileges) from accessing this information 1.

Item Value
ID T1424
Tactics TA0032
Platforms Android
Version 1.0
Created 25 October 2017
Last Modified 17 October 2018

Procedure Examples

ID Name Description
S0440 Agent Smith Agent Smith checks if a targeted application is running in user-space prior to infection.4
S0422 Anubis Anubis can collect a list of running processes.7
S0421 GolfSpy GolfSpy can obtain a list of running processes.3
S0544 HenBox HenBox can obtain a list of running processes.6
S0411 Rotexy Rotexy collects information about running processes.2
S0489 WolfRAT WolfRAT uses dumpsys to determine if certain applications are running.5


ID Mitigation Description
M1005 Application Vetting Application vetting techniques could be used to attempt to identify applications with this behavior.
M1006 Use Recent OS Version As stated in the technical description, Android 7 and above prevent applications from accessing this information.


Back to top