Access Sensitive Data or Credentials in Files

An adversary could attempt to read files that contain sensitive data or credentials (e.g., private keys, passwords, access tokens). This technique requires either escalated privileges or for the targeted app to have stored the data in an insecure manner (e.g., with insecure file permissions or in an insecure location such as an external storage directory).

ID: T1409

Tactic Type:  Post-Adversary Device Access

Tactic: Collection, Credential Access

Platform:  Android, iOS

MTC ID:  AUT-0

Version: 1.0

Mitigations

Mitigation Description
Application Vetting Ensure that applications do not store sensitive data or credentials insecurely (e.g., with insecure file permissions or in an insecure location such as external data storage).
Security Updates
Use Device Provided Credential Storage Android and iOS provide hardware-backed capabilities to store credentials in an isolated location where they are less likely to be compromised even in the case of a successful privilege escalation attack against the operating system.
Use Recent OS Version Android 7 provides stronger default file permissions over application internal data storage directories, decreasing the likelihood that insecure file permissions can be exploited.

Examples

Name Description
Gooligan

Gooligan steals authentication tokens that can be used to access data from multiple Google applications.[1]

Pallas

Pallas retrieves messages and decryption keys for popular messaging applications and other accounts stored on the device.[2]

Pegasus for Android

Pegasus for Android accesses sensitive data in files, such as messages stored by the WhatsApp, Facebook, and Twitter applications. It also has the ability to access arbitrary filenames and retrieve directory listings.[3]

Pegasus for iOS

Pegasus for iOS accesses sensitive data in files, such as saving Skype calls by reading them out of the Skype database files.[4]

RCSAndroid

RCSAndroid can collect passwords for Wi-Fi networks and online accounts, including Skype, Facebook, Twitter, Google, WhatsApp, Mail, and LinkedIn.[5]

Skygofree

Skygofree has a capability to obtain files from other installed applications.[6]

SpyDealer

SpyDealer exfiltrates data from over 40 apps such as WeChat, Facebook, WhatsApp, Skype, and others.[7]

SpyNote RAT

SpyNote RAT can copy files from the device to the C2 server.[8]

Stealth Mango

Stealth Mango exfiltrated data, including sensitive letters/documents, stored photos, and stored audio files.[9]

Tangelo

Tangelo accesses databases from WhatsApp, Viber, Skype, and Line. It also accesses browser history, pictures, and videos.[9]

References