216.73.217.22

T1418: Software Discovery

View on MITRE ATT&CK The MITRE Corporation · Published 17/12/2025 22:47 · Modified 27/03/2026 01:41

Essential information

MITRE technique ID
T1418
Confidence
100/100
Revoked
No
Published
17/12/2025 22:47
Modified
27/03/2026 01:41
Author / Source
The MITRE Corporation

Aliases

T1418

Platforms

android iOS

Description

Adversaries may attempt to get a listing of applications that are installed on a device. Adversaries may use the information from [Software Discovery](https://attack.mitre.org/techniques/T1418) during automated discovery to shape follow-on behaviors, including whether or not to fully infect the target and/or attempts specific actions. Adversaries may attempt to enumerate applications for a variety of reasons, such as figuring out what security measures are present or to identify the presence of target applications.

Kill chain phases

Kill chainPhase
mitre-mobile-attack discovery

Marking (TLP)

TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.

External references

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (9)

  • Ke3chang uses APT15Mirage
    The MITRE Corporation Confidence 100

    [Ke3chang](https://attack.mitre.org/groups/G0004) is a threat group attributed to actors operating out of China. [Ke3chang](https://attack.mitre.org/groups/G0004) has targeted oil, government, diplomatic, military, and NGOs in Central and South America, the Caribbean, …

    First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 27/03/2026 01:13
  • PROMETHIUM uses StrongPity
    The MITRE Corporation Confidence 100

    [PROMETHIUM](https://attack.mitre.org/groups/G0056) is an activity group focused on espionage that has been active since at least 2012. The group has conducted operations globally with a heavy emphasis on Turkish …

    First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 27/03/2026 01:14
  • Patchwork uses Hangover GroupChinastrats
    The MITRE Corporation Confidence 100

    [Patchwork](https://attack.mitre.org/groups/G0040) is a cyber espionage group that was first observed in December 2015. While the group has not been definitively attributed, circumstantial evidence suggests the group may be …

    First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 27/03/2026 01:13
  • APT37 uses InkySquidGroup123
    The MITRE Corporation Confidence 100

    [APT37](https://attack.mitre.org/groups/G0067) is a North Korean state-sponsored cyber espionage group that has been active since at least 2012. The group has targeted victims primarily in South Korea, but also …

    First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 27/03/2026 01:14
  • Virtual Invaders uses
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 03:41 · Modified 21/12/2025 03:41
  • Kimsuky uses Black BansheeVelvet Chollima
    The MITRE Corporation Confidence 100

    [Kimsuky](https://attack.mitre.org/groups/G0094) is a North Korea-based cyber espionage group that has been active since at least 2012. The group initially targeted South Korean government agencies, think tanks, and subject-matter …

    First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 04/05/2026 16:33
  • Windshift uses Bahamut
    The MITRE Corporation Confidence 100

    [Windshift](https://attack.mitre.org/groups/G0112) is a threat group that has been active since at least 2017, targeting specific individuals for surveillance in government departments and critical infrastructure across the Middle East.(Citation: …

    First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 27/03/2026 01:14
  • Sandworm uses
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 20/12/2025 23:15 · Modified 20/12/2025 23:15
  • Kamran uses
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 01:34 · Modified 21/12/2025 01:34

Malware (71)

  • Monokle uses
    Family
    Published 05/12/2024 17:33 · Modified 05/12/2024 17:33
  • GPlayed
  • Stealth Mango
  • DOCSWAP uses
    Family
    Published 16/12/2025 14:57 · Modified 16/12/2025 14:57
  • Drinik
  • Chameleon
  • GolfSpy
  • Gigabud uses
    Family
    Published 17/09/2024 11:28 · Modified 17/09/2024 11:28
  • CarbonSteal
  • FastFire
  • FakeSpy
  • Golden Cup
  • Red Alert 2.0
  • Android/AdDisplay.Ashas
  • RatMilad
  • TangleBot uses
    Family
    Published 26/06/2024 08:23 · Modified 26/06/2024 08:23
  • HenBox
  • Pallas
  • Mandrake uses
    Family The MITRE Corporation Confidence 100

    [Mandrake](https://attack.mitre.org/software/S0485) is a sophisticated Android espionage platform that has been active in the wild since at least 2016. [Mandrake](https://attack.mitre.org/software/S0485) is very actively maintained, with sophisticated features and attacks …

    First seen 01/01/1970 · Last seen 16/11/5138 Published 17/12/2025 22:47 · Modified 27/03/2026 01:41
  • Desert Scorpion
  • GoldenEagle
  • Kimsuky uses
    Family
    Published 11/06/2025 22:07 · Modified 11/06/2025 22:07
  • Hornbill
  • LightSpy uses
    Family
    Published 21/02/2025 15:28 · Modified 21/02/2025 15:28
  • TrickMo uses
    Family
    Published 11/05/2026 09:07 · Modified 11/05/2026 09:07
  • OS X
  • WolfRAT
  • Riltok
  • EventBot
  • Pegasus for Android
  • DoubleAgent
  • SpyLoan uses
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 20/12/2025 19:41 · Modified 21/12/2025 02:08
  • Binary Validator
  • DEFENSOR ID
  • TERRACOTTA
  • AbstractEmu
  • Crocodilus uses
    Family
    Published 03/06/2025 19:16 · Modified 03/06/2025 19:16
  • Rotexy
  • FlyGram
  • Agent Smith
  • StrongPity
  • KreditSpy
  • Drinik Android
  • Exodus
  • VajraSpy
  • XploitSpy uses
    Family
    Published 30/01/2026 08:19 · Modified 30/01/2026 08:19
  • TikTalk
  • BadBazaar uses
    Family
    Published 28/01/2026 18:26 · Modified 28/01/2026 18:26
  • Anubis uses
    Family
    Published 27/01/2025 14:18 · Modified 27/01/2025 14:18
  • Chameleon Banking
  • Drinik Banking
  • YiSpecter
  • Tiktok Pro
  • TriangleDB
  • Infamouse Chisel
  • Fastviewer
  • GREF
  • Sunbird
  • ViceLeaker
  • S.O.V.A.
  • Cerberus uses
    Family
    Published 19/03/2026 11:00 · Modified 19/03/2026 11:00
  • Triada uses
    Family
    Published 17/02/2026 12:39 · Modified 17/02/2026 12:39
  • CherryBlos
  • Bahamut Spyware
  • FastSpy
  • BOULDSPY
  • Uyghur Telegram uses
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 01:20 · Modified 21/12/2025 01:20
  • Android
  • INSOMNIA
  • Ginp
  • Godfather uses
    Family
    Published 11/05/2026 09:07 · Modified 11/05/2026 09:07

Reports (1)

Attack patterns (MITRE) (1)

Course Of Action (2)

  • Use Recent OS Version mitigates
  • User Guidance mitigates

Campaign (2)

  • Operation Triangulation uses
  • C0033 uses

Tool (1)

  • FlexiSpy uses
    The MITRE Corporation Confidence 100

    [FlexiSpy](https://attack.mitre.org/software/S0408) is sophisticated surveillanceware for iOS and Android. Publicly-available, comprehensive analysis has only been found for the Android version.(Citation: FortiGuard-FlexiSpy)(Citation: CyberMerchants-FlexiSpy) [FlexiSpy](https://attack.mitre.org/software/S0408) markets itself as a parental control …

    Published 04/09/2019 17:38 · Modified 27/03/2026 01:41