Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T1426: System Information Discovery

Adversaries may attempt to get detailed information about a device’s operating system and hardware, including versions, patches, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not to fully infects the target and/or attempts specific actions.

On Android, much of this information is programmatically accessible to applications through the `android.os.Build` class. [1] iOS is much more restrictive with what information is visible to applications. Typically, applications will only be able to query the device model and which version of iOS it is running.

MobileT1426TechniqueObject v1.2 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

System Information Discovery on mobile devices matters because it helps a malicious app or implant decide what it is running on before taking next actions. On Android, device OS and hardware details are broadly available through android.os.Build; on iOS, applications are more restricted but can typically learn device model and iOS version. For leaders, this is less about the discovery call itself and more about whether the mobile security program can see untrusted apps profiling high-value devices, patch levels, and hardware before follow-on behavior.

Executive priority

Prioritize this as a mobile fleet visibility and readiness issue. The business question is whether security teams can prove which Android and iOS versions, models, and patch states exist across managed devices, and whether risky or unknown applications are allowed to run on sensitive users’ phones. This technique is associated in ATT&CK with multiple mobile malware families and campaigns, so it should inform mobile threat modeling, executive-device protection, incident triage, and audit evidence around mobile inventory and patch governance.

Technical view

Validate coverage across Android and iOS separately. For Android, review whether app analysis, mobile security tooling, or runtime telemetry can identify applications querying android.os.Build or collecting OS, hardware, version, patch, and architecture details, especially when paired with suspicious permissions, recent sideloading, or network transmission of device metadata. For iOS, expect less application-visible detail, but validate monitoring around device model and OS-version collection where telemetry exists. ATT&CK provides no official detection text for T1426, but a related detection strategy object, DET0601, exists; teams should map that strategy to local mobile telemetry before claiming coverage.

Likely telemetry

  • MDM/EMM inventory for device model, OS version, patch level, and platform
  • Mobile threat defense or mobile EDR events, if deployed
  • Application vetting/static analysis results for Android use of android.os.Build and related device-fingerprinting logic
  • Runtime app behavior telemetry where available
  • Network telemetry showing apps transmitting device model, OS version, patch, architecture, or similar metadata

Detection direction

  • Treat standalone system-information collection as low-fidelity because legitimate mobile apps often collect device model and OS version for compatibility, support, and analytics.
  • Increase confidence by correlating discovery with suspicious app provenance, excessive permissions, obfuscation, unusual outbound communication, or other mobile ATT&CK behaviors.
  • Separate Android and iOS logic: Android exposes more system details programmatically, while iOS restricts most app-visible system information to model and OS version.
  • Use ATT&CK relationship context to prioritize tests against mobile malware behaviors that use this technique, but do not infer local exposure without matching telemetry.
  • Account for the revoked Device Type Discovery technique T1419 being consolidated into T1426 when maintaining older detection content or reporting mappings.

Mitigation priorities

  • Maintain accurate mobile asset inventory, including OS version, device model, and patch posture for Android and iOS fleets.
  • Prioritize mobile OS and security patch governance, especially for users and functions where mobile compromise would affect business continuity or sensitive access.
  • Reduce exposure to untrusted applications through managed app distribution, application vetting, and controls on sideloading where organizational policy and platform capability allow.
  • Use mobile security monitoring for high-risk users and devices, with response playbooks for suspicious apps collecting and transmitting device metadata.
  • Align incident response procedures so responders can quickly determine device model, OS version, installed applications, and management status during mobile investigations.
Analyst notes and limits

The relationship set is broad: campaigns, groups, and many mobile malware/software entries are linked as using this behavior, including Android and iOS examples. That makes T1426 useful for coverage validation and threat-informed mobile testing, but the behavior is common enough that detection must be correlation-driven. The Android-specific android.os.Build reference is a key technical anchor. iOS visibility should be scoped conservatively because the ATT&CK description states that iOS is more restrictive.

ATT&CK does not provide official detection guidance or tactics for this object in the supplied fields. The relationship data supports that the behavior is used by multiple mobile threats, but it does not establish current activity, customer exposure, or guaranteed detectability. Local conclusions require mobile management coverage, app inventory, device telemetry, and network evidence from the environment.

Official MITRE ATT&CK definition

System Information Discovery

Adversaries may attempt to get detailed information about a device’s operating system and hardware, including versions, patches, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not to fully infects the target and/or attempts specific actions.

On Android, much of this information is programmatically accessible to applications through the `android.os.Build` class. [1] iOS is much more restrictive with what information is visible to applications. Typically, applications will only be able to query the device model and which version of iOS it is running.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Mobile T1419 Device Type Discovery Device Type Discovery revoked by this object.
Associated objects

Groups, software, and campaigns

Group Mobile

G0112: Windshift

Windshift is a threat group that has been active since at least 2017, targeting specific individuals for surveillance in government departments and critical infrastructure across the Middle East.[1][2][3]

Malware Mobile

S0288: KeyRaider

KeyRaider is malware that steals Apple account credentials and other data from jailbroken iOS devices. It also has ransomware functionality. [1]

Malware Mobile

S1083: Chameleon

Chameleon is an Android banking trojan that can leverage Android’s Accessibility Services to perform malicious activities. Believed to have been first active in January 2023, Chameleon has been observed targeting users in Australia and Poland by masquerading as official applications. A new variant of Chameleon has expanded its targets to include Android users in the United Kingdom and Italy.[1][2]

Android
Malware Mobile

S9005: DocSwap

DocSwap is an Android malware first identified in 2025, and attributed to Kimsuky. DocSwap’s name is a combination of its Korean name “문서열람 인증 앱” (Document Viewing Authentication App) and a phishing page masquerading as CoinSwap at the C2 address. Based on DocSwap’s name and Korean-language strings, DocSwap potentially targets mobile device users in South Korea. Several variants of DocSwap exist; one of the latest samples indicates that the adversary added a native decryption function that decrypts an internal APK.[1][2]

Android
Malware Mobile

S0418: ViceLeaker

ViceLeaker is a spyware framework, capable of extensive surveillance and data exfiltration operations, primarily targeting devices belonging to Israeli citizens.[1][2]

Android
Malware Mobile

S0540: Asacub

Asacub is a banking trojan that attempts to steal money from victims’ bank accounts. It attempts to do this by initiating a wire transfer via SMS message from compromised devices.[1]

Android
Malware Mobile

S1056: TianySpy

TianySpy is a mobile malware primarily spread by SMS phishing between September 30 and October 12, 2021. TianySpy is believed to have targeted credentials associated with membership websites of major Japanese telecommunication services.[1]

AndroidiOS
Relationship explorer

All related ATT&CK context

uses · Malware S0318: XLoader for Android Mobile uses · Malware S0288: KeyRaider Mobile uses · Malware S1083: Chameleon Mobile uses · Malware S0535: Golden Cup Mobile uses · Malware S0463: INSOMNIA Mobile uses · Malware S0555: CHEMISTGAMES Mobile uses · Malware S0525: Android/AdDisplay.Ashas Mobile uses · Malware S9005: DocSwap Mobile uses · Malware S0418: ViceLeaker Mobile revoked by · Technique T1419: Device Type Discovery Mobile uses · Malware S0490: XLoader for iOS Mobile uses · Malware S0540: Asacub Mobile uses · Malware S1056: TianySpy Mobile uses · Malware S0507: eSurv Mobile uses · Malware S0422: Anubis Mobile uses · Malware S1077: Hornbill Mobile uses · Malware S1094: BRATA Mobile uses · Malware S1062: S.O.V.A. Mobile uses · Malware S1082: Sunbird Mobile uses · Malware S0506: ViperRAT Mobile uses · Group G0112: Windshift Mobile uses · Malware S0505: Desert Scorpion Mobile uses · Malware S0420: Dvmap Mobile uses · Malware S0529: CarbonSteal Mobile
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.2
Created
Modified
Raw hash
aae030f3c1998ed6...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.2 Current bundle aae030f3c199…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Android-Build

    Android. (n.d.). Build. Retrieved December 21, 2016.

    Open source URL
  2. [2]
    NIST Mobile Threat Catalogue APP-12
    Open source URL
  3. [3]
    mitre-attack T1426
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use