Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T1422: System Network Configuration Discovery

Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of devices they access or through information discovery of remote systems.

Adversaries may use the information from System Network Configuration Discovery during automated discovery to shape follow-on behaviors, including determining certain access within the target network and what actions to do next.

On Android, details of onboard network interfaces are accessible to apps through the `java.net.NetworkInterface` class.[1] Previously, the Android `TelephonyManager` class could be used to gather telephony-related device identifiers, information such as the IMSI, IMEI, and phone number. However, starting with Android 10, only preloaded, carrier, the default SMS, or device and profile owner applications can access the telephony-related device identifiers.[2]

On iOS, gathering network configuration information is not possible without root access.

Adversaries may use the information from System Network Configuration Discovery during automated discovery to shape follow-on behaviors, including determining certain access within the target network and what actions to do next.

MobileT1422TechniqueObject v2.4 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

System Network Configuration Discovery matters because mobile malware or implants can use basic network details, such as IP or MAC address information, to understand where a device sits and decide what to do next. For executives and security leaders, the risk is not the discovery action alone; it is that mobile device context can help an adversary adapt follow-on activity, including connectivity checks, Wi-Fi-related discovery, or command-and-control preparation.

Executive priority

Treat this as a mobile security and incident-response readiness issue. Leadership should ask whether Android and iOS devices that handle sensitive business data are kept on recent OS versions, whether jailbroken/rooted devices are controlled, and whether the SOC can investigate suspicious mobile applications that collect network configuration information. This technique is associated in ATT&CK with multiple Android and iOS malware/software entries and with Operation Triangulation, so mobile telemetry and device hygiene should be part of resilience and audit evidence discussions where mobile devices are in scope.

Technical view

For Android, validate visibility into applications accessing network interface details through normal platform APIs such as java.net.NetworkInterface, and account for Android 10+ restrictions around telephony identifiers through TelephonyManager. For iOS, ATT&CK notes that gathering network configuration information is not possible without root access, making jailbreak/root indicators and unusual privilege context important investigative pivots. Because ATT&CK provides no official detection text for T1422, detection engineering should use the related DET0634 strategy as a starting point and enrich it with local mobile EDR/MDM, application inventory, OS version, permission, network, and jailbreak/root evidence. Subtechniques T1422.001 Internet Connection Discovery and T1422.002 Wi-Fi Discovery should be reviewed together because they represent common adjacent discovery behaviors.

Likely telemetry

  • Mobile device OS version and patch level from MDM/UEM
  • Installed mobile application inventory and application provenance
  • Mobile security/EDR alerts for suspicious app behavior
  • Android application behavior involving network interface or telephony-related API access where available
  • Permission, device owner/profile owner, default SMS app, carrier/preloaded app status on Android

Detection direction

  • Validate whether DET0634 or equivalent local analytics are implemented for mobile network configuration discovery behavior.
  • Tune Android detections to distinguish expected network-aware apps from suspicious or unexpected collection of device/network identifiers.
  • Use OS version context because Android 10+ restricts access to telephony-related device identifiers to specific application categories.
  • On iOS, prioritize alerts involving jailbreak/root conditions or suspicious privileged execution because ATT&CK states network configuration gathering is not possible without root access.
  • Correlate this technique with Internet Connection Discovery and Wi-Fi Discovery rather than treating isolated network-detail collection as high confidence by itself.

Mitigation priorities

  • Prioritize M1006: keep mobile operating systems on recent versions to benefit from security architecture improvements and restrictions on sensitive identifier access.
  • Enforce mobile device compliance policies for OS version, patch level, and device integrity before allowing access to business resources.
  • Restrict or remove rooted/jailbroken devices from sensitive workflows, especially for iOS where root access materially changes feasibility.
  • Maintain application governance through approved app sources, app inventory, and review of apps requesting sensitive or unusual capabilities.
  • Ensure incident response playbooks include mobile evidence collection, application triage, and decisions for containment or device re-enrollment.
Analyst notes and limits

This technique is a discovery behavior, so its value is usually in context: which app performed it, on what platform and OS version, whether the device was rooted or jailbroken, and what happened before or after. The relationship set includes Android and iOS malware/software examples, a campaign relationship, a detection strategy relationship, a mitigation relationship, and two subtechniques, which supports prioritizing mobile telemetry correlation rather than single-signal alerting.

ATT&CK does not provide official detection text or tactics for this object in the supplied fields. The available fields support Android and iOS platform discussion, Android API considerations, Android 10+ telephony identifier restrictions, and iOS root-access constraints, but they do not establish customer exposure, active exploitation, or guaranteed detection coverage. Local MDM, mobile EDR, application, and network evidence is required to assess risk and coverage.

Official MITRE ATT&CK definition

System Network Configuration Discovery

Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of devices they access or through information discovery of remote systems.

Adversaries may use the information from System Network Configuration Discovery during automated discovery to shape follow-on behaviors, including determining certain access within the target network and what actions to do next.

On Android, details of onboard network interfaces are accessible to apps through the `java.net.NetworkInterface` class.[1] Previously, the Android `TelephonyManager` class could be used to gather telephony-related device identifiers, information such as the IMSI, IMEI, and phone number. However, starting with Android 10, only preloaded, carrier, the default SMS, or device and profile owner applications can access the telephony-related device identifiers.[2]

On iOS, gathering network configuration information is not possible without root access.

Adversaries may use the information from System Network Configuration Discovery during automated discovery to shape follow-on behaviors, including determining certain access within the target network and what actions to do next.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

2 rows
Domain ID Name Relationship / procedure
Mobile T1422.002 Wi-Fi Discovery Sub-technique Wi-Fi Discovery subtechnique of this object.
Mobile T1422.001 Internet Connection Discovery Sub-technique Internet Connection Discovery subtechnique of this object.
Associated objects

Groups, software, and campaigns

Group Mobile

G1028: APT-C-23

APT-C-23 is a threat group that has been active since at least 2014.[1] APT-C-23 has primarily focused its operations on the Middle East, including Israeli military assets. APT-C-23 has developed mobile spyware targeting Android and iOS devices since 2017.[2]

Malware Mobile

S0509: FakeSpy

FakeSpy is Android spyware that has been operated by the Chinese threat actor behind the Roaming Mantis campaigns.[1]

Android
Malware Mobile

S0427: TrickMo

TrickMo a 2FA bypass mobile banking trojan, most likely being distributed by TrickBot. TrickMo has been primarily targeting users located in Germany.[1]

TrickMo is designed to steal transaction authorization numbers (TANs), which are typically used as one-time passwords.[1]

Android
Malware Mobile

S1061: AbstractEmu

AbstractEmu is mobile malware that was first seen in Google Play and other third-party stores in October 2021. It was discovered in 19 Android applications, of which at least 7 abused known Android exploits for obtaining root permissions. AbstractEmu was observed primarily impacting users in the United States, however victims are believed to be across a total of 17 countries.[1]

Android
Malware Mobile

S0311: YiSpecter

YiSpecter is a family of iOS and Android malware, first detected in November 2014, targeting users in mainland China and Taiwan. YiSpecter abuses private APIs in iOS to infect both jailbroken and non-jailbroken devices.[1]

AndroidiOS
Malware Mobile

S0329: Tangelo

Tangelo is iOS malware that is believed to be from the same developers as the Stealth Mango Android malware. It is not a mobile application, but rather a Debian package that can only run on jailbroken iOS devices. [1]

iOS
Malware Mobile

S9005: DocSwap

DocSwap is an Android malware first identified in 2025, and attributed to Kimsuky. DocSwap’s name is a combination of its Korean name “문서열람 인증 앱” (Document Viewing Authentication App) and a phishing page masquerading as CoinSwap at the C2 address. Based on DocSwap’s name and Korean-language strings, DocSwap potentially targets mobile device users in South Korea. Several variants of DocSwap exist; one of the latest samples indicates that the adversary added a native decryption function that decrypts an internal APK.[1][2]

Android
Relationship explorer

All related ATT&CK context

uses · Malware S0509: FakeSpy Mobile uses · Malware S1082: Sunbird Mobile uses · Malware S0403: Riltok Mobile uses · Malware S1077: Hornbill Mobile uses · Malware S0427: TrickMo Mobile uses · Malware S1061: AbstractEmu Mobile uses · Malware S0489: WolfRAT Mobile uses · Malware S0311: YiSpecter Mobile uses · Group G1028: APT-C-23 Mobile uses · Malware S0313: RuMMS Mobile uses · Malware S0490: XLoader for iOS Mobile uses · Malware S0329: Tangelo Mobile uses · Malware S9005: DocSwap Mobile uses · Malware S0478: EventBot Mobile uses · Campaign C0054: Operation Triangulation Mobile mitigates · Mitigation M1006: Use Recent OS Version Mobile uses · Malware S1079: BOULDSPY Mobile uses · Malware S0536: GPlayed Mobile uses · Malware S0535: Golden Cup Mobile uses · Malware S0577: FrozenCell Mobile uses · Malware S0463: INSOMNIA Mobile uses · Malware S0315: DualToy Mobile uses · Malware S0540: Asacub Mobile uses · Malware S0291: PJApps Mobile
Mitigations

Mitigation direction

Mitigation Mobile

M1006: Use Recent OS Version

New mobile operating system versions bring not only patches against discovered vulnerabilities but also often bring security architecture improvements that provide resilience against potential vulnerabilities or weaknesses that have not yet been discovered. They may also bring improvements that block use of observed adversary techniques.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
2.4
Created
Modified
Raw hash
6b96df9aa4008b03...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 2.4 Current bundle 6b96df9aa400…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    NetworkInterface

    Android. (n.d.). NetworkInterface. Retrieved December 21, 2016.

    Open source URL
  2. [2]
    TelephonyManager

    Android. (n.d.). TelephonyManager. Retrieved December 21, 2016.

    Open source URL
  3. [3]
    mitre-attack T1422
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use