1. Home
  2. Techniques
  3. Mobile
  4. File and Directory Discovery

File and Directory Discovery

Adversaries may enumerate files and directories or search in specific device locations for desired information within a filesystem. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including deciding if the adversary should fully infect the target and/or attempt specific actions.

On Android, Linux file permissions and SELinux policies typically stringently restrict what can be accessed by apps without taking advantage of a privilege escalation exploit. The contents of the external storage directory are generally visible, which could present concerns if sensitive data is inappropriately stored there. iOS's security architecture generally restricts the ability to perform any type of File and Directory Discovery without use of escalated privileges.

ID: T1420
Sub-techniques:  No sub-techniques
Tactic Type: Post-Adversary Device Access
Tactic: Discovery
Platforms: Android, iOS
MTC ID: STA-41
Version: 1.2
Created: 25 October 2017
Last Modified: 24 October 2025
Version Permalink

Procedure Examples

ID Name Description
S1095 AhRat

AhRat can enumerate files on external storage.[1]
C0033 C0033

During C0033, PROMETHIUM used StrongPity to collect file lists on the victim device.[2]

S0529 CarbonSteal

CarbonSteal has searched device storage for various files, including .amr files (audio recordings) and superuser binaries.[3]
S1225 CherryBlos

CherryBlos has accessed media files stored in external storage and has used optical character recognition (OCR) to recognize potential mnemonic phrases in pictures.[4]

S0505 Desert Scorpion

Desert Scorpion can list files stored on external storage.[5]
S9005 DocSwap

DocSwap has checked for the READ_EXTERNAL_STORAGE and MANAGE_EXTERNAL_STORAGE permissions.[6][7]

S0550 DoubleAgent

DoubleAgent has searched for specific existing data directories, including the Gmail app, Dropbox app, Pictures, and thumbnails.[3]
S1092 Escobar

Escobar can access external storage.[8]
S0577 FrozenCell

FrozenCell has searched for pdf, doc, docx, ppt, pptx, xls, and xlsx file types for exfiltration.[9]
S0535 Golden Cup

Golden Cup can collect a directory listing of external storage.[10]
S0551 GoldenEagle

GoldenEagle has looked for .doc, .txt, .gif, .apk, .jpg, .png, .mp3, and .db files on external storage.[3]
S1077 Hornbill

Hornbill has a list of file extensions that it may use to log certain operations (creation, open, close, modification, movement, deletion) on files of those types.[11]
C0016 Operation Dust Storm

During Operation Dust Storm, the threat actors used Android backdoors capable of enumerating specific files on the infected devices.[12]
C0054 Operation Triangulation

During Operation Triangulation, the threat actors have obtained a list of files in a specified directory using the fts API.[13]

S1241 RatMilad

RatMilad has listed files and pictures on the device starting from /mnt/sdcard/.[14]

S9030 SameCoin

SameCoin can use libexampleone.so to list files to be deleted.[15]
S0549 SilkBean

SilkBean can get file lists on the SD card.[3]
S0558 Tiktok Pro

Tiktok Pro can list all hidden files in the /DCIM/.dat/ directory.[16]
S1216 TriangleDB

TriangleDB has obtained a list of files using the fts API and has obtained files that match a specified regular expression.[13]

S9006 VajraSpy

VajraSpy has searched for files with specific extensions, such as .txt, .jpg, .Om4a, .aac and .opus, before exfiltration.[17]

G0112 Windshift

Windshift has included file enumeration in the malicious apps deployed as part of Operation BULL and Operation ROCK.[18]

Mitigations

ID Mitigation Description
M1006 Use Recent OS Version

Security architecture improvements in each new version of Android and iOS make it more difficult to escalate privileges. Additionally, newer versions of Android have strengthened the sandboxing applied to applications, restricting their ability to enumerate file system contents.

Detection Strategy

ID Name Analytic ID Analytic Description
DET0682 Detection of File and Directory Discovery AN1788

Defender observes an app (package/UID) issuing high-rate directory or content-index enumerations against external/shared storage or other apps’ Documents/Media providers (logcat:ContentResolver, logcat:StorageAccessFramework), followed within a short window by bulk READ handles or stat/list calls over many distinct paths (logcat:FileIO). Activity occurs without foreground UI or exceeds typical per-app baseline, indicating automated file/dir discovery rather than user-driven browsing. Correlate on package/UID/profile and time proximity.
AN1789

Defender observes an app (bundle/process) performing large-scope directory listings or metadata reads via FileProvider/NSFileManager against user-visible containers (Files app locations, iCloud/On-My-iPhone) or external providers, with rapid traversal across many folders while the app is backgrounded or without corresponding UI activity (unifiedlogs:FileProvider, unifiedlogs:FileIO). Optional signals include Photo library or document picker bulk enumeration absent recent user gesture. Correlate on bundle/process/profile and path volume within a bounded window.

References

  1. Lukas Stefanko. (2023, May 23). Android app breaking bad: From legitimate screen recording to file exfiltration within a year. Retrieved December 18, 2023.
  2. Stefanko, L. (2023, January 10). StrongPity espionage campaign targeting Android users. Retrieved January 31, 2023.
  3. A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.
  4. Trend Micro Research. (2023, July 28). Related CherryBlos and FakeTrade Android Malware Involved in Scam Campaigns. Retrieved March 28, 2025.
  5. A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020.
  6. EnkiWhiteHat. (2025, December 16). Kimsuky Distributing Malicious Mobile App via QR Code. Retrieved January 8, 2026.
  7. Kim, H., S2W TALON. (2025, March 13). Detailed Analysis of DocSwap Malware Disguised as Security Document Viewer. Retrieved January 12, 2026.
  8. B. Toulas. (2022, March 12). Android malware Escobar steals your Google Authenticator MFA codes. Retrieved September 28, 2023.
  9. Michael Flossman. (2017, October 5). FrozenCell: Multi-platform surveillance campaign against Palestinians. Retrieved November 11, 2020.
  1. R. Iarchy, E. Rynkowski. (2018, July 5). GoldenCup: New Cyber Threat Targeting World Cup Fans. Retrieved October 29, 2020.
  2. Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.
  3. Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021.
  4. Kucherin, G., et al. (2023, June 21). Dissecting TriangleDB, a Triangulation spyware implant. Retrieved April 18, 2024.
  5. Gupta, N. (2022, October 5). We Smell A RatMilad Android Spyware. Retrieved August 27, 2025.
  6. Check Point. (2024, November 12). Hamas-affiliated Threat Actor WIRTE Continues its Middle East Operations and Moves to Disruptive Activity. Retrieved April 20, 2026.
  7. S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021.
  8. Stefanko, L. (2024, February 1). VajraSpy: A Patchwork of espionage apps. Retrieved October 27, 2025.
  9. The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021.