1. Home
  2. Techniques
  3. Mobile
  4. Protected User Data
  5. Calendar Entries

Protected User Data: Calendar Entries

ID Name
T1636.001 Calendar Entries
T1636.002 Call Log
T1636.003 Contact List
T1636.004 SMS Messages
T1636.005 Accounts

Adversaries may utilize standard operating system APIs to gather calendar entry data. On Android, this can be accomplished using the Calendar Content Provider. On iOS, this can be accomplished using the EventKit framework.

If the device has been jailbroken or rooted, an adversary may be able to access Calendar Entries without the user’s knowledge or approval.

ID: T1636.001
Sub-technique of:  T1636
Tactic: Collection
Platforms: Android, iOS
MTC ID: APP-13
Version: 1.1
Created: 01 April 2022
Last Modified: 24 October 2025
Version Permalink

Procedure Examples

ID Name Description
S0405 Exodus

Exodus Two can exfiltrate calendar events.[1]

S0408 FlexiSpy

FlexiSpy can collect the device calendars.[2]
S0407 Monokle

Monokle can retrieve calendar event information including the event name, when and where it is taking place, and the description.[3]

S0316 Pegasus for Android

Pegasus for Android accesses calendar entries.[4]
S0328 Stealth Mango

Stealth Mango uploads calendar events and reminders.[5]
S1082 Sunbird

Sunbird can exfiltrate calendar information.[6]

Mitigations

ID Mitigation Description
M1011 User Guidance

Calendar access is an uncommonly needed permission, so users should be instructed to use extra scrutiny when granting access to their device calendar.

Detection Strategy

ID Name Analytic ID Analytic Description
DET0674 Detection of Calendar Entries AN1774

Application vetting services could look for android.permission.READ_CALENDAR or android.permission.WRITE_CALENDAR in an Android application’s manifest, or NSCalendarsUsageDescription in an iOS application’s Info.plist file. Most applications do not need calendar access, so extra scrutiny could be applied to those that request it.
On both Android and iOS, the user can manage which applications have permission to access calendar information through the device settings screen, revoke the permission if necessary.

AN1775

Application vetting services could look for android.permission.READ_CALENDAR or android.permission.WRITE_CALENDAR in an Android application’s manifest, or NSCalendarsUsageDescription in an iOS application’s Info.plist file. Most applications do not need calendar access, so extra scrutiny could be applied to those that request it.
On both Android and iOS, the user can manage which applications have permission to access calendar information through the device settings screen, revoke the permission if necessary.

References

  1. Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved November 17, 2024.
  2. Actis B. (2017, April 22). FlexSpy Application Analysis. Retrieved September 4, 2019.
  3. Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.
  1. Mike Murray. (2017, April 3). Pegasus for Android: the other side of the story emerges. Retrieved April 16, 2017.
  2. Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.
  3. Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.