- Home
- Techniques
- Mobile
- Process Discovery
Process Discovery
On Android versions prior to 5, applications can observe information about other processes that are running through methods in the ActivityManager class. On Android versions prior to 7, applications can obtain this information by executing the ps
command, or by examining the /proc
directory. Starting in Android version 7, use of the Linux kernel's hidepid
feature prevents applications (without escalated privileges) from accessing this information [1].
Procedure Examples
Name | Description |
---|---|
Agent Smith |
Agent Smith checks if a targeted application is running in user-space prior to infection.[2] |
GolfSpy | |
Rotexy | |
WolfRAT |
WolfRAT uses |
Mitigations
Mitigation | Description |
---|---|
Application Vetting |
Application vetting techniques could be used to attempt to identify applications with this behavior. |
Use Recent OS Version |
As stated in the technical description, Android 7 and above prevent applications from accessing this information. |
References
- Various. (2016, March 31). Overly restrictive SELinux filesystem permissions in Android N. Retrieved December 21, 2016.
- A. Hazum, F. He, I. Marom, B. Melnykov, A. Polkovnichenko. (2019, July 10). Agent Smith: A New Species of Mobile Malware. Retrieved May 7, 2020.
- E. Xu, G. Guo. (2019, June 28). Mobile Cyberespionage Campaign ‘Bouncing Golf’ Affects Middle East. Retrieved January 27, 2020.