Mobile Tracking and Device Identification via Sensor Fingerprinting

New mobile attack vector allows cyber attackers to track and identify mobile victims via sensors fingerprinting


Cyber Security researchers discovered a new techniques and methodology of privacy botnet that allows an attacker to gain user’s personal information, detailed location, movement and motion surveillance, area mapping and more.

The malware found was designed to work in a stealth mode and running as a receiver behind a system background service. Once the attacker sends an SMS message containing different message body texts (For example: question mark or smiley) to the target device, it will cause the device to send a private information that not required any special permission or dialog’s box approval from the victim client.

The core functionality and the real advantage of the potnet (or privacy botnet), from an attacker’s point of view, is the ability to get different type of data from the victim’s device including: cellular network information and other sensor data of the targeted victim.


The malware allows an attacker to get an information about the geolocation and the positioning of the target device. This data is calculated on the potnet C&C server and then available to the attacker in order to track the target device’s exact motions.

Diagram 1.0: Human tracking system


Next generation of privacy botnet

Potnet and The Next generation of privacy’s botnets are not acting as a banking Trojan or malware and it is not designed to steal your banking credentials, log into your account or transfer your funds to criminals, is the type of malware that’s designed to track your motion, movement and geolocation, so that they can be used for social engineering, advanced positioning and tracking techniques.

The Potnet’s malware that found essentially doing this by grabbing the victim’s information and send it to certain websites. These websites are pre-specified by the attackers, and they are typically Command and Control (C&C) servers that hosted anonymously in a third-party web hosting service.

The data that is collected, then calculated on the server side in order to provide to the attacker an accurate picture about the victim. Utilizing a short processing time on the client side of the malware, data sent to the server minimized, thus reducing the possibility of detection by client side’s defense mechanisms.

Using a non-conventional device data allow the attacker to track victims that located at low-connectivity or bad-signal environments like inside buildings and even underground level (according to the cellular data signal).

Diagram 1.1: Tracking victims in low-connectivity or bad-signal environments


Weaponization of government tracking techniques

One of the harmful aspects of the potnet’s malware family is that when it enters into the target mobile device, it is very difficult to be detected or to know the exact trigger that used in order to send an information or data out from the device.

Once executed, the malware generates an incoming broadcast receiver and then waits for a specific SMS text message that contains smiley or question mark as the message text body for example. Once the SMS message arrived, the malware then logs all activities related to a specific sensor data and the cellular network information include the cell id, LAC, MNC, MCC, etc.… and sending them to the potnet C&C server.

Sending only a small amount of data to the C&C server at the backend reduces the possibility of detection by client side’s defense mechanisms (like Anti-Viruses or other signature-based protection techniques). This methodology and technique of calculating additional information that related to the victim by correlating the collected data with third-party APIs and other web-services are one of the advantages of potnets and the next generation botnets.


Diagram 1.2: Triangulation is calculated according to the signal of every base-station (cell tower)



You can read or download the full AboutAndroid Malware Analysis Report here:

Read (SlideShare):

Original post:



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s