Hide Artifacts: Conceal Multimedia Files

Other sub-techniques of Hide Artifacts (3)

ID	Name
T1628.001	Suppress Application Icon
T1628.002	User Evasion
T1628.003	Conceal Multimedia Files

Adversaries may attempt to hide multimedia files from the user. By doing so, adversaries may conceal captured files, such as pictures, videos and/or screenshots, then later exfiltrate those files.

Specific to Android devices, if the .nomedia file is present in a folder, multimedia files in that folder will not be visible to the user in the Gallery application. Additionally, other applications are asked not to scan the folder with the .nomedia file, effectively making the folder appear invisible to the user.

This technique is often used by stalkerware and spyware applications.

ID: T1628.003

Sub-technique of: T1628

ⓘ

Tactic: Defense Evasion

ⓘ

Platforms: Android

Contributors: Shankar Raman, Amrita University, Gen Digital, Traboda

Version: 1.0

Created: 20 February 2024

Last Modified: 17 April 2024

Version Permalink

Live Version

Procedure Examples

ID	Name	Description
G0112	Windshift	Windshift has hidden multimedia files from the user.^[1]

Mitigations

ID	Mitigation	Description
M1059	Do Not Mitigate	Conceal Multimedia Files likely should not be mitigated with preventative controls because the `.nomedia` file may be used legitimately.

References

Cyfirma. (2023, February 10). APT Bahamut Attacks Indian Intelligence Operative using Android Malware. Retrieved February 23, 2024.