Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to exfiltration.
Access to local system data, which includes information stored by the operating system, often requires escalated privileges. Examples of local system data include authentication tokens, the device keyboard cache, Wi-Fi passwords, and photos. On Android, adversaries may also attempt to access files from external storage which may require additional storage-related permissions.
GolfSpy can collect local accounts on the device, pictures, bookmarks/histories of the default browser, and files stored on the SD card. GolfSpy can list image, audio, video, and other files stored on the device. GolfSpy can copy arbitrary files from the device.
Monokle can retrieve the salt used when storing the user’s password, aiding an adversary in computing the user’s plaintext password/PIN from the stored password hash. Monokle can also capture the user’s dictionary, user-defined shortcuts, and browser history, enabling profiling of the user and their activities.
ViceLeaker can copy arbitrary files from the device to the C2 server, can exfiltrate browsing history, can exfiltrate the SD card structure, and can exfiltrate pictures as the user takes them.
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.
Accessing data from the local system can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.