Data from Local System

Sensitive data can be collected from local system sources, such as the file system or databases of information residing on the system.

Local system data includes information stored by the operating system. Access to local system data often requires escalated privileges (e.g. root access). Examples of local system data include authentication tokens, the device keyboard cache, Wi-Fi passwords, and photos.

ID: T1533
Sub-techniques:  No sub-techniques
Tactic Type: Post-Adversary Device Access
Tactic: Collection
Platforms: Android, iOS
Version: 1.0
Created: 10 October 2019
Last Modified: 11 October 2019

Procedure Examples

Name Description

Anubis can exfiltrate files encrypted with the ransomware module from the device.[1]


Concipit1248 can collect device photos.[2]

Corona Updates

Corona Updates can collect voice notes, device accounts, and gallery images.[2]


Dendroid can collect the device’s photos, browser history, bookmarks, and accounts stored on the device.[3]

Desert Scorpion

Desert Scorpion can collect files located in external storage.[4]


eSurv can exfiltrate device pictures.[5]


Exodus Two can extract information on pictures from the Gallery, Chrome and SBrowser bookmarks, and the connected WiFi network's password.[6]


FlexiSpy can monitor device photos and can also access browser history and bookmarks.[7]


Ginp can download device logs.[8]


GolfSpy can collect local accounts on the device, pictures, bookmarks/histories of the default browser, and files stored on the SD card. GolfSpy can list image, audio, video, and other files stored on the device. GolfSpy can copy arbitrary files from the device.[9]


Gooligan steals authentication tokens that can be used to access data from multiple Google applications.[10]


Gustuff can capture files and photos from the compromised device.[11]


INSOMNIA can collect application database files, including Gmail, Hangouts, device photos, and container directories of third-party apps.[12]


Monokle can retrieve the salt used when storing the user’s password, aiding an adversary in computing the user’s plaintext password/PIN from the stored password hash. Monokle can also capture the user’s dictionary, user-defined shortcuts, and browser history, enabling profiling of the user and their activities.[13]


RCSAndroid can collect passwords for Wi-Fi networks and online accounts, including Skype, Facebook, Twitter, Google, WhatsApp, Mail, and LinkedIn.[14]

SpyNote RAT

SpyNote RAT can copy files from the device to the C2 server.[15]

Stealth Mango

Stealth Mango collected and exfiltrated data from the device, including sensitive letters/documents, stored photos, and stored audio files.[16]


Tangelo accesses browser history, pictures, and videos.[16]


TrickMo can steal pictures from the device.[17]


ViceLeaker can copy arbitrary files from the device to the C2 server, can exfiltrate browsing history, can exfiltrate the SD card structure, and can exfiltrate pictures as the user takes them.[18][19]


ViperRAT can collect device photos, PDF documents, Office documents, browser history, and browser bookmarks.[20]


WolfRAT can collect user account, photos, browser history, and arbitrary files.[21]


This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.


Accessing data from the local system can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.