Skip to content

T1426 System Information Discovery

An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, and architecture.

On Android, much of this information is programmatically accessible to applications through the android.os.Build class.1

On iOS, techniques exist for applications to programmatically access this information.2

Item Value
ID T1426
Sub-techniques
Tactics TA0032
Platforms Android, iOS
Version 1.1
Created 25 October 2017
Last Modified 20 November 2019

Procedure Examples

ID Name Description
S0525 Android/AdDisplay.Ashas Android/AdDisplay.Ashas can collect information about the device including device type, OS version, language, free storage space, battery status, device root, and if developer mode is enabled.31
S0304 Android/Chuli.A Android/Chuli.A gathered system information including phone number, OS version, phone model, and SDK version.6
S0310 ANDROIDOS_ANSERVER.A ANDROIDOS_ANSERVER.A gathers the device OS version, device build version, manufacturer, and model.8
S0422 Anubis Anubis can collect the device’s ID.17
S0540 Asacub Asacub can collect various pieces of device information, including device model and OS version.35
S0529 CarbonSteal CarbonSteal has gathered device metadata, including model, manufacturer, SD card size, disk usage, memory, CPU, and serial number.32
S0480 Cerberus Cerberus can collect device information, such as the default SMS app and device locale.2223
S0555 CHEMISTGAMES CHEMISTGAMES has fingerprinted devices to uniquely identify them.37
S0425 Corona Updates Corona Updates can collect various pieces of device information, including OS version, phone model, and manufacturer.18
S0505 Desert Scorpion Desert Scorpion can collect device metadata and can check if the device is rooted.26
S0550 DoubleAgent DoubleAgent has accessed common system information.32
S0420 Dvmap Dvmap checks the Android version to determine which system library to patch.15
S0507 eSurv eSurv’s iOS version can collect device information.28
S0478 EventBot EventBot can collect system information such as OS version, device vendor, and the type of screen lock that is active on the device.21
S0522 Exobot Exobot can obtain the device’s country and carrier name.30
S0509 FakeSpy FakeSpy can collect device information, including OS version and device model.29
S0577 FrozenCell FrozenCell has gathered the device manufacturer, model, and serial number.39
S0535 Golden Cup Golden Cup can collect various pieces of device information, such as serial number and product information.33
S0551 GoldenEagle GoldenEagle has checked for system root.32
S0421 GolfSpy GolfSpy can obtain the device’s battery level, network operator, connection information, sensor information, and information about the device’s storage and memory.16
S0536 GPlayed GPlayed can collect the device’s model, country, and Android version.34
S0406 Gustuff Gustuff gathers information about the device, including the default SMS application, if SafetyNet is enabled, the battery level, the operating system version, and if the malware has elevated permissions.11
S0544 HenBox HenBox can collect device information and can check if the device is running MIUI on a Xiaomi device.36
S0463 INSOMNIA INSOMNIA can collect the device’s name, serial number, iOS version, total disk space, and free disk space.20
S0288 KeyRaider Most KeyRaider samples search to find the Apple account’s username, password and device’s GUID in data being transferred.5
S0485 Mandrake Mandrake can access device configuration information and status, including Android version, battery level, device model, country, and SIM operator.24
S0407 Monokle Monokle queries the device for metadata such as make, model, and power levels.12
S0399 Pallas Pallas queries the device for metadata, such as device ID, OS version, and the number of cameras.9
S0289 Pegasus for iOS Pegasus for iOS monitors the victim for status and disables other access to the phone by other jailbreaking software.7
S0326 RedDrop RedDrop exfiltrates details of the victim device operating system and manufacturer.3
S0403 Riltok Riltok can query various details about the device, including phone number, country, mobile operator, model, root availability, and operating system version.10
S0411 Rotexy Rotexy collects information about the compromised device, including phone number, network operator, OS version, device model, and the device registration country.13
S0313 RuMMS RuMMS gathers device model and operating system version information and transmits it to a command and control server.4
S0558 Tiktok Pro Tiktok Pro can check the device’s battery status.38
S0427 TrickMo TrickMo can collect device information such as network operator, model, brand, and OS version.19
S0418 ViceLeaker ViceLeaker collects device information, including the device model and OS version.14
S0506 ViperRAT ViperRAT can collect system information, including brand, manufacturer, and serial number.27
G0112 Windshift Windshift has included system information enumeration in the malicious apps deployed as part of Operation BULL and Operation ROCK.40
S0318 XLoader for Android XLoader for Android collects the device’s Android ID and serial number.25
S0490 XLoader for iOS XLoader for iOS can obtain the device’s UDID, version number, and product number.25

Mitigations

ID Mitigation Description
M1005 Application Vetting App vetting procedures can search for apps that use the android.os.Build class, but these procedures could potentially be evaded and are likely not practical in this case, as many apps are likely to use this functionality as part of their legitimate behavior.

References

  1. Android. (n.d.). Build. Retrieved December 21, 2016. 

  2. Stack Overflow. (n.d.). How can we programmatically detect which iOS version is device running on?. Retrieved December 21, 2016. 

  3. Nell Campbell. (2018, February 27). RedDrop: the blackmailing mobile malware family lurking in app stores. Retrieved September 18, 2018. 

  4. Wu Zhou, Deyu Hu, Jimmy Su, Yong Kang. (2016, April 26). RUMMS: THE LATEST FAMILY OF ANDROID MALWARE ATTACKING USERS IN RUSSIA VIA SMS PHISHING. Retrieved February 6, 2017. 

  5. Claud Xiao. (2015, August 30). KeyRaider: iOS Malware Steals Over 225,000 Apple Accounts to Create Free App Utopia. Retrieved December 12, 2016. 

  6. Costin Raiu, Denis Maslennikov, Kurt Baumgartner. (2013, March 26). Android Trojan Found in Targeted Attack. Retrieved December 23, 2016. 

  7. Lookout. (2016). Technical Analysis of Pegasus Spyware. Retrieved December 12, 2016. 

  8. Karl Dominguez. (2011, September 27). ANDROIDOS_ANSERVER.A. Retrieved November 30, 2018. 

  9. Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018. 

  10. Tatyana Shishkova. (2019, June 25). Riltok mobile Trojan: A banker with global reach. Retrieved August 7, 2019. 

  11. Vitor Ventura. (2019, April 9). Gustuff banking botnet targets Australia . Retrieved September 3, 2019. 

  12. Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019. 

  13. T. Shishkova, L. Pikman. (2018, November 22). The Rotexy mobile Trojan – banker and ransomware. Retrieved September 23, 2019. 

  14. GReAT. (2019, June 26). ViceLeaker Operation: mobile espionage targeting Middle East. Retrieved November 21, 2019. 

  15. R. Unuchek. (2017, June 8). Dvmap: the first Android malware with code injection. Retrieved December 10, 2019. 

  16. E. Xu, G. Guo. (2019, June 28). Mobile Cyberespionage Campaign ‘Bouncing Golf’ Affects Middle East. Retrieved January 27, 2020. 

  17. M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved April 8, 2020. 

  18. T. Bao, J. Lu. (2020, April 14). Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020. 

  19. P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020. 

  20. I. Beer. (2019, August 29). Implant Teardown. Retrieved June 2, 2020. 

  21. D. Frank, L. Rochberger, Y. Rimmer, A. Dahan. (2020, April 30). EventBot: A New Mobile Banking Trojan is Born. Retrieved June 26, 2020. 

  22. Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020. 

  23. A. Hazum, B. Melnykov, C. Efrati, D. Golubenko, I. Wernik, L. Kuperman, O. Mana. (2020, April 29). First seen in the wild – Malware uses Corporate MDM as attack vector. Retrieved June 26, 2020. 

  24. R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020. 

  25. Hiroaki, H., Wu, L., Wu, L.. (2019, April 2). XLoader Disguises as Android Apps, Has FakeSpy Links. Retrieved July 20, 2020. 

  26. A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020. 

  27. M. Flossman. (2017, February 16). ViperRAT: The mobile APT targeting the Israeli Defense Force that should be on your radar. Retrieved September 11, 2020. 

  28. A. Bauer. (2019, April 8). Lookout discovers phishing sites distributing new iOS and Android surveillanceware. Retrieved September 11, 2020. 

  29. O. Almkias. (2020, July 1). FakeSpy Masquerades as Postal Service Apps Around the World. Retrieved September 15, 2020. 

  30. Threat Fabric. (2017, February). Exobot - Android banking Trojan on the rise. Retrieved October 29, 2020. 

  31. L. Stefanko. (2019, October 24). Tracking down the developer of Android adware affecting millions of users. Retrieved October 29, 2020. 

  32. A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020. 

  33. R. Iarchy, E. Rynkowski. (2018, July 5). GoldenCup: New Cyber Threat Targeting World Cup Fans. Retrieved October 29, 2020. 

  34. V. Ventura. (2018, October 11). GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020. 

  35. T. Shishkova. (2018, August 28). The rise of mobile banker Asacub. Retrieved December 14, 2020. 

  36. A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019. 

  37. B. Leonard, N. Mehta. (2019, November 21). The Secret Life of Sandworms. Retrieved December 31, 2020. 

  38. S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021. 

  39. Michael Flossman. (2017, October 5). FrozenCell: Multi-platform surveillance campaign against Palestinians. Retrieved November 11, 2020. 

  40. The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021. 

Back to top