1. Home
  2. Techniques
  3. Mobile
  4. Process Discovery

Process Discovery

On Android versions prior to 5, applications can observe information about other processes that are running through methods in the ActivityManager class. On Android versions prior to 7, applications can obtain this information by executing the ps command, or by examining the /proc directory. Starting in Android version 7, use of the Linux kernel's hidepid feature prevents applications (without escalated privileges) from accessing this information [1].

ID: T1424
Sub-techniques:  No sub-techniques
Tactic Type: Post-Adversary Device Access
Tactic: Discovery
Platforms: Android
Version: 1.0
Created: 25 October 2017
Last Modified: 17 October 2018
Provided by LAYER 8

Procedure Examples

ID Name Description
S0440 Agent Smith

Agent Smith checks if a targeted application is running in user-space prior to infection.[2]

S0422 Anubis

Anubis can collect a list of running processes.[3]
S0421 GolfSpy

GolfSpy can obtain a list of running processes.[4]
S0544 HenBox

HenBox can obtain a list of running processes.[5]
S0411 Rotexy

Rotexy collects information about running processes.[6]
S0489 WolfRAT

WolfRAT uses dumpsys to determine if certain applications are running.[7]

Mitigations

ID Mitigation Description
M1005 Application Vetting

Application vetting techniques could be used to attempt to identify applications with this behavior.
M1006 Use Recent OS Version

As stated in the technical description, Android 7 and above prevent applications from accessing this information.

References

  1. Various. (2016, March 31). Overly restrictive SELinux filesystem permissions in Android N. Retrieved December 21, 2016.
  2. A. Hazum, F. He, I. Marom, B. Melnykov, A. Polkovnichenko. (2019, July 10). Agent Smith: A New Species of Mobile Malware. Retrieved May 7, 2020.
  3. zLabs. (2019, November 12). How Zimperium’s z9 Detected Unknown Mobile Malware Overlooked by the AV Industry . Retrieved January 20, 2021.
  4. E. Xu, G. Guo. (2019, June 28). Mobile Cyberespionage Campaign ‘Bouncing Golf’ Affects Middle East. Retrieved January 27, 2020.
  1. A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019.
  2. T. Shishkova, L. Pikman. (2018, November 22). The Rotexy mobile Trojan – banker and ransomware. Retrieved September 23, 2019.
  3. W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19). The wolf is back... . Retrieved July 20, 2020.