Skip to content

T1426 System Information Discovery

Adversaries may attempt to get detailed information about a device’s operating system and hardware, including versions, patches, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not to fully infects the target and/or attempts specific actions.

On Android, much of this information is programmatically accessible to applications through the android.os.Build class. 1 iOS is much more restrictive with what information is visible to applications. Typically, applications will only be able to query the device model and which version of iOS it is running.

Item Value
ID T1426
Sub-techniques
Tactics TA0032
Platforms Android, iOS
Version 1.2
Created 25 October 2017
Last Modified 11 April 2022

Procedure Examples

ID Name Description
S1061 AbstractEmu AbstractEmu can collect device information such as manufacturer, model, version, serial number, and telephone number.36
S0525 Android/AdDisplay.Ashas Android/AdDisplay.Ashas can collect information about the device including device type, OS version, language, free storage space, battery status, device root, and if developer mode is enabled.42
S0304 Android/Chuli.A Android/Chuli.A gathered system information including phone number, OS version, phone model, and SDK version.7
S0310 ANDROIDOS_ANSERVER.A ANDROIDOS_ANSERVER.A gathers the device OS version, device build version, manufacturer, and model.22
S0422 Anubis Anubis can collect the device’s ID.26
S0540 Asacub Asacub can collect various pieces of device information, including device model and OS version.10
S0529 CarbonSteal CarbonSteal has gathered device metadata, including model, manufacturer, SD card size, disk usage, memory, CPU, and serial number.9
S0480 Cerberus Cerberus can collect device information, such as the default SMS app and device locale.2425
S0555 CHEMISTGAMES CHEMISTGAMES has fingerprinted devices to uniquely identify them.38
S0425 Corona Updates Corona Updates can collect various pieces of device information, including OS version, phone model, and manufacturer.15
S0505 Desert Scorpion Desert Scorpion can collect device metadata and can check if the device is rooted.39
S0550 DoubleAgent DoubleAgent has accessed common system information.9
S0420 Dvmap Dvmap checks the Android version to determine which system library to patch.17
S0507 eSurv eSurv’s iOS version can collect device information.29
S0478 EventBot EventBot can collect system information such as OS version, device vendor, and the type of screen lock that is active on the device.4
S0522 Exobot Exobot can obtain the device’s country and carrier name.16
S0509 FakeSpy FakeSpy can collect device information, including OS version and device model.28
S0577 FrozenCell FrozenCell has gathered the device manufacturer, model, and serial number.27
S0535 Golden Cup Golden Cup can collect various pieces of device information, such as serial number and product information.8
S0551 GoldenEagle GoldenEagle has checked for system root.9
S0421 GolfSpy GolfSpy can obtain the device’s battery level, network operator, connection information, sensor information, and information about the device’s storage and memory.6
S0536 GPlayed GPlayed can collect the device’s model, country, and Android version.30
S0406 Gustuff Gustuff gathers information about the device, including the default SMS application, if SafetyNet is enabled, the battery level, the operating system version, and if the malware has elevated permissions.32
S0544 HenBox HenBox can collect device information and can check if the device is running MIUI on a Xiaomi device.40
S0463 INSOMNIA INSOMNIA can collect the device’s name, serial number, iOS version, total disk space, and free disk space.37
S0288 KeyRaider Most KeyRaider samples search to find the Apple account’s username, password and device’s GUID in data being transferred.35
S0485 Mandrake Mandrake can access device configuration information and status, including Android version, battery level, device model, country, and SIM operator.12
S0407 Monokle Monokle queries the device for metadata such as make, model, and power levels.20
S0399 Pallas Pallas queries the device for metadata, such as device ID, OS version, and the number of cameras.11
S0289 Pegasus for iOS Pegasus for iOS monitors the victim for status and disables other access to the phone by other jailbreaking software.33
S0326 RedDrop RedDrop exfiltrates details of the victim device operating system and manufacturer.14
S0403 Riltok Riltok can query various details about the device, including phone number, country, mobile operator, model, root availability, and operating system version.2
S0411 Rotexy Rotexy collects information about the compromised device, including phone number, network operator, OS version, device model, and the device registration country.21
S0313 RuMMS RuMMS gathers device model and operating system version information and transmits it to a command and control server.18
S1062 S.O.V.A. S.O.V.A. can gather data about the device.31
S1056 TianySpy TianySpy can gather device UDIDs.34
S0558 Tiktok Pro Tiktok Pro can check the device’s battery status.19
S0427 TrickMo TrickMo can collect device information such as network operator, model, brand, and OS version.23
S0418 ViceLeaker ViceLeaker collects device information, including the device model and OS version.5
S0506 ViperRAT ViperRAT can collect system information, including brand, manufacturer, and serial number.13
G0112 Windshift Windshift has included system information enumeration in the malicious apps deployed as part of Operation BULL and Operation ROCK.43
S0318 XLoader for Android XLoader for Android collects the device’s Android ID and serial number.3
S0490 XLoader for iOS XLoader for iOS can obtain the device’s UDID, version number, and product number.3
S0311 YiSpecter YiSpecter has collected the device UUID.41

References

  1. Android. (n.d.). Build. Retrieved December 21, 2016. 

  2. Tatyana Shishkova. (2019, June 25). Riltok mobile Trojan: A banker with global reach. Retrieved August 7, 2019. 

  3. Hiroaki, H., Wu, L., Wu, L.. (2019, April 2). XLoader Disguises as Android Apps, Has FakeSpy Links. Retrieved July 20, 2020. 

  4. D. Frank, L. Rochberger, Y. Rimmer, A. Dahan. (2020, April 30). EventBot: A New Mobile Banking Trojan is Born. Retrieved June 26, 2020. 

  5. GReAT. (2019, June 26). ViceLeaker Operation: mobile espionage targeting Middle East. Retrieved November 21, 2019. 

  6. E. Xu, G. Guo. (2019, June 28). Mobile Cyberespionage Campaign ‘Bouncing Golf’ Affects Middle East. Retrieved January 27, 2020. 

  7. Costin Raiu, Denis Maslennikov, Kurt Baumgartner. (2013, March 26). Android Trojan Found in Targeted Attack. Retrieved December 23, 2016. 

  8. R. Iarchy, E. Rynkowski. (2018, July 5). GoldenCup: New Cyber Threat Targeting World Cup Fans. Retrieved October 29, 2020. 

  9. A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020. 

  10. T. Shishkova. (2018, August 28). The rise of mobile banker Asacub. Retrieved December 14, 2020. 

  11. Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018. 

  12. R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020. 

  13. M. Flossman. (2017, February 16). ViperRAT: The mobile APT targeting the Israeli Defense Force that should be on your radar. Retrieved September 11, 2020. 

  14. Nell Campbell. (2018, February 27). RedDrop: the blackmailing mobile malware family lurking in app stores. Retrieved September 18, 2018. 

  15. T. Bao, J. Lu. (2020, April 14). Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020. 

  16. Threat Fabric. (2017, February). Exobot - Android banking Trojan on the rise. Retrieved October 29, 2020. 

  17. R. Unuchek. (2017, June 8). Dvmap: the first Android malware with code injection. Retrieved December 10, 2019. 

  18. Wu Zhou, Deyu Hu, Jimmy Su, Yong Kang. (2016, April 26). RUMMS: THE LATEST FAMILY OF ANDROID MALWARE ATTACKING USERS IN RUSSIA VIA SMS PHISHING. Retrieved February 6, 2017. 

  19. S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021. 

  20. Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019. 

  21. T. Shishkova, L. Pikman. (2018, November 22). The Rotexy mobile Trojan – banker and ransomware. Retrieved September 23, 2019. 

  22. Karl Dominguez. (2011, September 27). ANDROIDOS_ANSERVER.A. Retrieved November 30, 2018. 

  23. P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020. 

  24. Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020. 

  25. A. Hazum, B. Melnykov, C. Efrati, D. Golubenko, I. Wernik, L. Kuperman, O. Mana. (2020, April 29). First seen in the wild – Malware uses Corporate MDM as attack vector. Retrieved June 26, 2020. 

  26. M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved April 8, 2020. 

  27. Michael Flossman. (2017, October 5). FrozenCell: Multi-platform surveillance campaign against Palestinians. Retrieved November 11, 2020. 

  28. O. Almkias. (2020, July 1). FakeSpy Masquerades as Postal Service Apps Around the World. Retrieved September 15, 2020. 

  29. A. Bauer. (2019, April 8). Lookout discovers phishing sites distributing new iOS and Android surveillanceware. Retrieved September 11, 2020. 

  30. V. Ventura. (2018, October 11). GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020. 

  31. ThreatFabric. (2021, September 9). S.O.V.A. - A new Android Banking trojan with fowl intentions. Retrieved February 6, 2023. 

  32. Vitor Ventura. (2019, April 9). Gustuff banking botnet targets Australia . Retrieved September 3, 2019. 

  33. Lookout. (2016). Technical Analysis of Pegasus Spyware. Retrieved December 12, 2016. 

  34. Trend Micro. (2022, January 25). TianySpy Malware Uses Smishing Disguised as Message From Telco. Retrieved January 11, 2023. 

  35. Claud Xiao. (2015, August 30). KeyRaider: iOS Malware Steals Over 225,000 Apple Accounts to Create Free App Utopia. Retrieved December 12, 2016. 

  36. P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023. 

  37. I. Beer. (2019, August 29). Implant Teardown. Retrieved June 2, 2020. 

  38. B. Leonard, N. Mehta. (2019, November 21). The Secret Life of Sandworms. Retrieved December 31, 2020. 

  39. A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020. 

  40. A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019. 

  41. Claud Xiao. (2015, October 4). YiSpecter: First iOS Malware That Attacks Non-jailbroken Apple iOS Devices by Abusing Private APIs. Retrieved March 3, 2023. 

  42. L. Stefanko. (2019, October 24). Tracking down the developer of Android adware affecting millions of users. Retrieved October 29, 2020. 

  43. The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021.