Skip to content

T1426 System Information Discovery

Adversaries may attempt to get detailed information about a device’s operating system and hardware, including versions, patches, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not to fully infects the target and/or attempts specific actions.

On Android, much of this information is programmatically accessible to applications through the android.os.Build class. 1 iOS is much more restrictive with what information is visible to applications. Typically, applications will only be able to query the device model and which version of iOS it is running.

Item Value
ID T1426
Sub-techniques
Tactics TA0032
Platforms Android, iOS
Version 1.2
Created 25 October 2017
Last Modified 24 October 2025

Procedure Examples

ID Name Description
S1061 AbstractEmu AbstractEmu can collect device information such as manufacturer, model, version, serial number, and telephone number.34
S1095 AhRat AhRat can obtain device info such as manufacturer, device ID, OS version, and country.44
S0525 Android/AdDisplay.Ashas Android/AdDisplay.Ashas can collect information about the device including device type, OS version, language, free storage space, battery status, device root, and if developer mode is enabled.9
S0304 Android/Chuli.A Android/Chuli.A gathered system information including phone number, OS version, phone model, and SDK version.24
S0310 ANDROIDOS_ANSERVER.A ANDROIDOS_ANSERVER.A gathers the device OS version, device build version, manufacturer, and model.35
S0422 Anubis Anubis can collect the device’s ID.14
S0540 Asacub Asacub can collect various pieces of device information, including device model and OS version.11
S1079 BOULDSPY BOULDSPY can collect system information, such as Android version and device identifiers.33
S1094 BRATA BRATA can retrieve Android system and hardware information.16
C0033 C0033 During C0033, PROMETHIUM used StrongPity to collect the device’s information, such as SIM serial number, SIM serial number, etc.58
S0529 CarbonSteal CarbonSteal has gathered device metadata, including model, manufacturer, SD card size, disk usage, memory, CPU, and serial number.21
S0480 Cerberus Cerberus can collect device information, such as the default SMS app and device locale.3738
S1083 Chameleon Chameleon has the ability to gather basic device information, such as version, model, root status, and country.4 Chameleon has also checked the restricted settings status of the device. If the Android 13 Restricted Settings status is present, an HTML page with instructions on how to enable the Accessibility Service will be shown to the user. Additionally, Chameleon has checked the keyguard’s status regarding how the device is locked (e.g. pattern, PIN or password).5
S0555 CHEMISTGAMES CHEMISTGAMES has fingerprinted devices to uniquely identify them.8
S0425 Corona Updates Corona Updates can collect various pieces of device information, including OS version, phone model, and manufacturer.39
S0505 Desert Scorpion Desert Scorpion can collect device metadata and can check if the device is rooted.19
S0550 DoubleAgent DoubleAgent has accessed common system information.21
S0420 Dvmap Dvmap checks the Android version to determine which system library to patch.20
S0507 eSurv eSurv’s iOS version can collect device information.13
S0478 EventBot EventBot can collect system information such as OS version, device vendor, and the type of screen lock that is active on the device.28
S0522 Exobot Exobot can obtain the device’s country and carrier name.48
S0509 FakeSpy FakeSpy can collect device information, including OS version and device model.25
S0577 FrozenCell FrozenCell has gathered the device manufacturer, model, and serial number.43
S1231 GodFather GodFather has the ability to gain remote control of the victim device and to gather data associated with the device, including battery level, sound settings, and device brightness.46 GodFather has also obtained the phone’s state, including network information, phone number, and serial number.45
S0535 Golden Cup Golden Cup can collect various pieces of device information, such as serial number and product information.6
S0551 GoldenEagle GoldenEagle has checked for system root.21
S0421 GolfSpy GolfSpy can obtain the device’s battery level, network operator, connection information, sensor information, and information about the device’s storage and memory.47
S0536 GPlayed GPlayed can collect the device’s model, country, and Android version.41
S0406 Gustuff Gustuff gathers information about the device, including the default SMS application, if SafetyNet is enabled, the battery level, the operating system version, and if the malware has elevated permissions.36
S0544 HenBox HenBox can collect device information and can check if the device is running MIUI on a Xiaomi device.32
S1077 Hornbill Hornbill can collect the device ID, model, manufacturer, and Android version. It can also check available storage space and if the screen is locked.15
S0463 INSOMNIA INSOMNIA can collect the device’s name, serial number, iOS version, total disk space, and free disk space.7
S0288 KeyRaider Most KeyRaider samples search to find the Apple account’s username, password and device’s GUID in data being transferred.3
S1185 LightSpy LightSpy collects device information, including the phone number, IMEI, CPU details, screen specifications, and memory information.49525150
S0485 Mandrake Mandrake can access device configuration information and status, including Android version, battery level, device model, country, and SIM operator.54
S0407 Monokle Monokle queries the device for metadata such as make, model, and power levels.42
C0054 Operation Triangulation During Operation Triangulation, the threat actors collected device and user information.59
S0399 Pallas Pallas queries the device for metadata, such as device ID, OS version, and the number of cameras.29
S0289 Pegasus for iOS Pegasus for iOS monitors the victim for status and disables other access to the phone by other jailbreaking software.22
S1126 Phenakite Phenakite can collect device metadata.31
S1241 RatMilad RatMilad has collected device information such as model, brand, buildId, Android version and manufacturer.27
S0326 RedDrop RedDrop exfiltrates details of the victim device operating system and manufacturer.53
S0403 Riltok Riltok can query various details about the device, including phone number, country, mobile operator, model, root availability, and operating system version.23
S0411 Rotexy Rotexy collects information about the compromised device, including phone number, network operator, OS version, device model, and the device registration country.55
S0313 RuMMS RuMMS gathers device model and operating system version information and transmits it to a command and control server.40
S1062 S.O.V.A. S.O.V.A. can gather data about the device.17
S1082 Sunbird Sunbird can exfiltrate the victim device ID, model, manufacturer, and Android version.15
S1056 TianySpy TianySpy can gather device UDIDs.12
S0558 Tiktok Pro Tiktok Pro can check the device’s battery status.26
S0427 TrickMo TrickMo can collect device information such as network operator, model, brand, and OS version.30
S0418 ViceLeaker ViceLeaker collects device information, including the device model and OS version.10
S0506 ViperRAT ViperRAT can collect system information, including brand, manufacturer, and serial number.18
G0112 Windshift Windshift has included system information enumeration in the malicious apps deployed as part of Operation BULL and Operation ROCK.57
S0318 XLoader for Android XLoader for Android collects the device’s Android ID and serial number.2
S0490 XLoader for iOS XLoader for iOS can obtain the device’s UDID, version number, and product number.2
S0311 YiSpecter YiSpecter has collected the device UUID.56

References

  1. Android. (n.d.). Build. Retrieved December 21, 2016. 

  2. Hiroaki, H., Wu, L., Wu, L.. (2019, April 2). XLoader Disguises as Android Apps, Has FakeSpy Links. Retrieved July 20, 2020. 

  3. Claud Xiao. (2015, August 30). KeyRaider: iOS Malware Steals Over 225,000 Apple Accounts to Create Free App Utopia. Retrieved December 12, 2016. 

  4. Cyble Research & Intelligence Labs. (2023, April 13). Banking Trojan targeting mobile users in Australia and Poland. Retrieved August 16, 2023. 

  5. ThreatFabric. (2023, December 21). Android Banking Trojan Chameleon can now bypass any Biometric Authentication. Retrieved July 7, 2025. 

  6. R. Iarchy, E. Rynkowski. (2018, July 5). GoldenCup: New Cyber Threat Targeting World Cup Fans. Retrieved October 29, 2020. 

  7. I. Beer. (2019, August 29). Implant Teardown. Retrieved June 2, 2020. 

  8. B. Leonard, N. Mehta. (2019, November 21). The Secret Life of Sandworms. Retrieved December 31, 2020. 

  9. L. Stefanko. (2019, October 24). Tracking down the developer of Android adware affecting millions of users. Retrieved October 29, 2020. 

  10. GReAT. (2019, June 26). ViceLeaker Operation: mobile espionage targeting Middle East. Retrieved November 21, 2019. 

  11. T. Shishkova. (2018, August 28). The rise of mobile banker Asacub. Retrieved December 14, 2020. 

  12. Trend Micro. (2022, January 25). TianySpy Malware Uses Smishing Disguised as Message From Telco. Retrieved January 11, 2023. 

  13. A. Bauer. (2019, April 8). Lookout discovers phishing sites distributing new iOS and Android surveillanceware. Retrieved September 11, 2020. 

  14. M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved September 25, 2024. 

  15. Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023. 

  16. Securelist. (2019, August 29). Fully equipped Spying Android RAT from Brazil: BRATA. Retrieved December 18, 2023. 

  17. ThreatFabric. (2021, September 9). S.O.V.A. - A new Android Banking trojan with fowl intentions. Retrieved February 6, 2023. 

  18. M. Flossman. (2017, February 16). ViperRAT: The mobile APT targeting the Israeli Defense Force that should be on your radar. Retrieved September 11, 2020. 

  19. A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020. 

  20. R. Unuchek. (2017, June 8). Dvmap: the first Android malware with code injection. Retrieved December 10, 2019. 

  21. A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020. 

  22. Lookout. (2016). Technical Analysis of Pegasus Spyware. Retrieved December 12, 2016. 

  23. Tatyana Shishkova. (2019, June 25). Riltok mobile Trojan: A banker with global reach. Retrieved August 7, 2019. 

  24. Costin Raiu, Denis Maslennikov, Kurt Baumgartner. (2013, March 26). Android Trojan Found in Targeted Attack. Retrieved December 23, 2016. 

  25. O. Almkias. (2020, July 1). FakeSpy Masquerades as Postal Service Apps Around the World. Retrieved September 15, 2020. 

  26. S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021. 

  27. Gupta, N. (2022, October 5). We Smell A RatMilad Android Spyware. Retrieved August 27, 2025. 

  28. D. Frank, L. Rochberger, Y. Rimmer, A. Dahan. (2020, April 30). EventBot: A New Mobile Banking Trojan is Born. Retrieved June 26, 2020. 

  29. Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018. 

  30. P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020. 

  31. Flossman, M., Scott, M. (2021, April). Technical Paper // Taking Action Against Arid Viper. Retrieved November 17, 2024. 

  32. A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019. 

  33. Kyle Schmittle, Alemdar Islamoglu, Paul Shunk, Justin Albrecht. (2023, April 27). Lookout Discovers Android Spyware Tied to Iranian Police Targeting Minorities: BouldSpy. Retrieved July 21, 2023. 

  34. P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023. 

  35. Karl Dominguez. (2011, September 27). ANDROIDOS_ANSERVER.A. Retrieved November 30, 2018. 

  36. Vitor Ventura. (2019, April 9). Gustuff banking botnet targets Australia . Retrieved September 3, 2019. 

  37. Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020. 

  38. A. Hazum, B. Melnykov, C. Efrati, D. Golubenko, I. Wernik, L. Kuperman, O. Mana. (2020, April 29). First seen in the wild – Malware uses Corporate MDM as attack vector. Retrieved June 26, 2020. 

  39. T. Bao, J. Lu. (2020, April 14). Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020. 

  40. Wu Zhou, Deyu Hu, Jimmy Su, Yong Kang. (2016, April 26). RUMMS: THE LATEST FAMILY OF ANDROID MALWARE ATTACKING USERS IN RUSSIA VIA SMS PHISHING. Retrieved February 6, 2017. 

  41. V. Ventura. (2018, October 11). GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020. 

  42. Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019. 

  43. Michael Flossman. (2017, October 5). FrozenCell: Multi-platform surveillance campaign against Palestinians. Retrieved November 11, 2020. 

  44. Lukas Stefanko. (2023, May 23). Android app breaking bad: From legitimate screen recording to file exfiltration within a year. Retrieved December 18, 2023. 

  45. Merkle Science. (2023, April 25). The Godfather Android Malware: Threat under the lens. Retrieved July 16, 2025. 

  46. Ortega, F. Pratapagiri, V. (2025, June 18). Your Mobile App, Their Playground: The Dark Side of Virtualization. Retrieved July 16, 2025. 

  47. E. Xu, G. Guo. (2019, June 28). Mobile Cyberespionage Campaign ‘Bouncing Golf’ Affects Middle East. Retrieved January 27, 2020. 

  48. Threat Fabric. (2017, February). Exobot - Android banking Trojan on the rise. Retrieved October 29, 2020. 

  49. Dmitry Bestuzhev. (2025, April 7). The Coordinated Kill Switch: LightSpy’s iOS Destructive Plugin Architecture Manages Device Disablement. Retrieved April 14, 2025. 

  50. Melikov, D. (2024, April 11). LightSpy Returns: Renewed Espionage Campaign Targets Southern Asia, Possibly India. Retrieved January 14, 2025. 

  51. ThreatFabric. (2023, October 2). LightSpy mAPT Mobile Payment System Attack. Retrieved January 17, 2025. 

  52. ThreatFabric. (2024, October 29). LightSpy: Implant for iOS. Retrieved January 30, 2025. 

  53. Nell Campbell. (2018, February 27). RedDrop: the blackmailing mobile malware family lurking in app stores. Retrieved November 17, 2024. 

  54. R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020. 

  55. T. Shishkova, L. Pikman. (2018, November 22). The Rotexy mobile Trojan – banker and ransomware. Retrieved September 23, 2019. 

  56. Claud Xiao. (2015, October 4). YiSpecter: First iOS Malware That Attacks Non-jailbroken Apple iOS Devices by Abusing Private APIs. Retrieved March 3, 2023. 

  57. The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021. 

  58. Stefanko, L. (2023, January 10). StrongPity espionage campaign targeting Android users. Retrieved January 31, 2023. 

  59. Kuznetsov, I., et al. (2023, June 1). Operation Triangulation: iOS devices targeted with previously unknown malware. Retrieved April 18, 2024.