1. Home
  2. Techniques
  3. Mobile
  4. Protected User Data
  5. Accounts

Protected User Data: Accounts

ID Name
T1636.001 Calendar Entries
T1636.002 Call Log
T1636.003 Contact List
T1636.004 SMS Messages
T1636.005 Accounts

Adversaries may utilize standard operating system APIs to gather account data. On Android, this can be accomplished by using the AccountManager API. For example, adversaries may use the getAccounts() method to list all accounts.[1] On iOS, this can be accomplished by using the Keychain services.

If the device has been jailbroken or rooted, adversaries may be able to access Accounts without the users’ knowledge or approval.

ID: T1636.005
Sub-technique of:  T1636
Tactic: Collection
Platforms: Android, iOS
Contributors: Google's Android Security team
Version: 1.0
Created: 17 September 2025
Last Modified: 17 September 2025
Version Permalink

Procedure Examples

ID Name Description
S1243 DCHSpy

DCHSpy has collected account names and their types from the device.[2]
S1241 RatMilad

RatMilad has collected account names and their types from the compromised device.[3]

Mitigations

ID Mitigation Description
M1006 Use Recent OS Version

OS feature updates often enhance security and privacy around permissions.

M1011 User Guidance

Access to accounts is an uncommonly needed permission, so users should be instructed to use extra scrutiny when granting access to their accounts.

Detection Strategy

ID Name Analytic ID Analytic Description
DET0635 Detection of Accounts AN1708

Monitor for API calls that are related to the AccountManager API on Android and Keychain services on iOS.
Application vetting services may look for MANAGE_ACCOUNTS in an Android application’s manifest. Most applications do not need access to accounts, so extra scrutiny may be applied to those that request it.
AN1709

Monitor for API calls that are related to the AccountManager API on Android and Keychain services on iOS.
Application vetting services may look for MANAGE_ACCOUNTS in an Android application’s manifest. Most applications do not need access to accounts, so extra scrutiny may be applied to those that request it.

References

  1. Android. (2025, February 13). AccountManager. Retrieved September 2, 2025.
  2. Albrecht, J., Islamoglu, A. (2025, July 21). Lookout Discovers Iranian APT MuddyWater Leveraging DCHSpy During Israel-Iran Conflict . Retrieved September 19, 2025.
  1. Gupta, N. (2022, October 5). We Smell A RatMilad Android Spyware. Retrieved August 27, 2025.