Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to exfiltration.
Access to local system data, which includes information stored by the operating system, often requires escalated privileges. Examples of local system data include authentication tokens, the device keyboard cache, Wi-Fi passwords, and photos. On Android, adversaries may also attempt to access files from external storage which may require additional storage-related permissions.
AbstractEmu can collect files from or inspect the device’s filesystem.
Anubis can exfiltrate files encrypted with the ransomware module from the device and can modify external storage.
BusyGasper can collect images stored on the device and browser history.
CHEMISTGAMES can collect files from the filesystem and account information from Google Chrome.
Concipit1248 can collect device photos.
Corona Updates can collect voice notes, device accounts, and gallery images.
Dendroid can collect the device’s photos, browser history, bookmarks, and accounts stored on the device.
Desert Scorpion can collect attacker-specified files, including files located on external storage.
DoubleAgent has collected files from the infected device.
Drinik can request the
Exodus Two can extract information on pictures from the Gallery, Chrome and SBrowser bookmarks, and the connected WiFi network's password.
FlexiSpy can monitor device photos and can also access browser history and bookmarks.
FrozenCell has retrieved device images for exfiltration.
Golden Cup can collect images, videos, and attacker-specified files.
GoldenEagle has retrieved .doc, .txt, .gif, .apk, .jpg, .png, .mp3, and .db files from external storage.
GolfSpy can collect local accounts on the device, pictures, bookmarks/histories of the default browser, and files stored on the SD card. GolfSpy can list image, audio, video, and other files stored on the device. GolfSpy can copy arbitrary files from the device.
Gooligan steals authentication tokens that can be used to access data from multiple Google applications.
Gustuff can capture files and photos from the compromised device.
HenBox can steal data from various sources, including chat, communication, and social media apps.
INSOMNIA can collect application database files, including Gmail, Hangouts, device photos, and container directories of third-party apps.
Monokle can retrieve the salt used when storing the user’s password, aiding an adversary in computing the user’s plaintext password/PIN from the stored password hash. Monokle can also capture the user’s dictionary, user-defined shortcuts, and browser history, enabling profiling of the user and their activities.
|C0016||Operation Dust Storm||
During Operation Dust Storm, the threat actors used Android backdoors capable of exfiltrating specific files directly from the infected devices.
RCSAndroid can collect passwords for Wi-Fi networks and online accounts, including Skype, Facebook, Twitter, Google, WhatsApp, Mail, and LinkedIn.
SilkBean can retrieve files from external storage and can collect browser data.
SpyNote RAT can copy files from the device to the C2 server.
Stealth Mango collected and exfiltrated data from the device, including sensitive letters/documents, stored photos, and stored audio files.
TangleBot can request permission to view files and media.
Tiktok Pro can collect device photos and credentials from other applications.
ViceLeaker can copy arbitrary files from the device to the C2 server, can exfiltrate browsing history, can exfiltrate the SD card structure, and can exfiltrate pictures as the user takes them.
ViperRAT can collect device photos, PDF documents, Office documents, browser history, and browser bookmarks.
Windshift has exfiltrated local account data and calendar information as part of Operation ROCK.
WolfRAT can collect user account, photos, browser history, and arbitrary files.
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.
Accessing data from the local system can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.