Collection

Collection consists of techniques used to identify and gather information, such as sensitive files, from a target network prior to exfiltration. This category also covers locations on a system or network where the adversary may look for information to exfiltrate.
ID: TA0035

Techniques

Techniques: 12
IDNameDescription
T1453Abuse Accessibility Features

A malicious app could abuse Android's accessibility features to capture sensitive data or perform other malicious actions.

T1435Access Calendar Entries

An adversary could call standard operating system APIs from a malicious application to gather calendar entry data, or with escalated privileges could directly access files containing calendar data.

T1433Access Call Log

On Android, an adversary could call standard operating system APIs from a malicious application to gather call log data, or with escalated privileges could directly access files containing call log data.

T1432Access Contact List

An adversary could call standard operating system APIs from a malicious application to gather contact list (i.e., address book) data, or with escalated privileges could directly access files containing contact list data.

T1413Access Sensitive Data in Device Logs

On versions of Android prior to 4.1, an adversary may use a malicious application that holds the READ_LOGS permission to obtain private keys, passwords, other credentials, or other sensitive data stored in the device's system log. On Android 4.1 and later, an adversary would need to attempt to perform an operating system privilege escalation attack to be able to access the log.

T1409Access Sensitive Data or Credentials in Files

An adversary could attempt to read files that contain sensitive data or credentials (e.g., private keys, passwords, access tokens). This technique requires either escalated privileges or for the targeted app to have stored the data in an insecure manner (e.g., with insecure file permissions or in an insecure location such as an external storage directory).

T1414Capture Clipboard Data

A malicious app or other attack vector could capture sensitive data stored in the device clipboard, for example passwords being copy-and-pasted from a password manager app.

T1412Capture SMS Messages

A malicious application could capture sensitive data sent via SMS, including authentication credentials. SMS is frequently used to transmit codes used for multi-factor authentication.

T1430Location Tracking

An adversary could use a malicious or exploited application to surreptitiously track the device's physical location through use of standard operating system APIs.

T1417Malicious Third Party Keyboard App

A malicious app can register as a device keyboard and intercept keypresses containing sensitive values such as usernames and passwords.

T1429Microphone or Camera Recordings

An adversary could use a malicious or exploited application to surreptitiously record activities using the device microphone and/or camera through use of standard operating system APIs.

T1410Network Traffic Capture or Redirection

An adversary may capture network traffic to and from the device to obtain credentials or other sensitive data, or redirect network traffic to flow through an adversary-controlled gateway to do the same.