T1420 File and Directory Discovery
Adversaries may enumerate files and directories or search in specific device locations for desired information within a filesystem. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including deciding if the adversary should fully infect the target and/or attempt specific actions.
On Android, Linux file permissions and SELinux policies typically stringently restrict what can be accessed by apps without taking advantage of a privilege escalation exploit. The contents of the external storage directory are generally visible, which could present concerns if sensitive data is inappropriately stored there. iOS’s security architecture generally restricts the ability to perform any type of File and Directory Discovery without use of escalated privileges.
| Item | Value |
|---|---|
| ID | T1420 |
| Sub-techniques | |
| Tactics | TA0032 |
| Platforms | Android, iOS |
| Version | 1.2 |
| Created | 25 October 2017 |
| Last Modified | 24 October 2025 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| S1095 | AhRat | AhRat can enumerate files on external storage.4 |
| C0033 | C0033 | During C0033, PROMETHIUM used StrongPity to collect file lists on the victim device.13 |
| S0529 | CarbonSteal | CarbonSteal has searched device storage for various files, including .amr files (audio recordings) and superuser binaries.1 |
| S1225 | CherryBlos | CherryBlos has accessed media files stored in external storage and has used optical character recognition (OCR) to recognize potential mnemonic phrases in pictures.3 |
| S0505 | Desert Scorpion | Desert Scorpion can list files stored on external storage.2 |
| S0550 | DoubleAgent | DoubleAgent has searched for specific existing data directories, including the Gmail app, Dropbox app, Pictures, and thumbnails.1 |
| S1092 | Escobar | Escobar can access external storage.10 |
| S0577 | FrozenCell | FrozenCell has searched for pdf, doc, docx, ppt, pptx, xls, and xlsx file types for exfiltration.8 |
| S0535 | Golden Cup | Golden Cup can collect a directory listing of external storage.7 |
| S0551 | GoldenEagle | GoldenEagle has looked for .doc, .txt, .gif, .apk, .jpg, .png, .mp3, and .db files on external storage.1 |
| S1077 | Hornbill | Hornbill has a list of file extensions that it may use to log certain operations (creation, open, close, modification, movement, deletion) on files of those types.5 |
| C0016 | Operation Dust Storm | During Operation Dust Storm, the threat actors used Android backdoors capable of enumerating specific files on the infected devices.14 |
| C0054 | Operation Triangulation | During Operation Triangulation, the threat actors have obtained a list of files in a specified directory using the fts API.6 |
| S1241 | RatMilad | RatMilad has listed files and pictures on the device starting from /mnt/sdcard/.11 |
| S0549 | SilkBean | SilkBean can get file lists on the SD card.1 |
| S0558 | Tiktok Pro | Tiktok Pro can list all hidden files in the /DCIM/.dat/ directory.9 |
| S1216 | TriangleDB | TriangleDB has obtained a list of files using the fts API and has obtained files that match a specified regular expression.6 |
| G0112 | Windshift | Windshift has included file enumeration in the malicious apps deployed as part of Operation BULL and Operation ROCK.12 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1006 | Use Recent OS Version | Security architecture improvements in each new version of Android and iOS make it more difficult to escalate privileges. Additionally, newer versions of Android have strengthened the sandboxing applied to applications, restricting their ability to enumerate file system contents. |
References
-
A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020. ↩↩↩↩
-
A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020. ↩
-
Trend Micro Research. (2023, July 28). Related CherryBlos and FakeTrade Android Malware Involved in Scam Campaigns. Retrieved March 28, 2025. ↩
-
Lukas Stefanko. (2023, May 23). Android app breaking bad: From legitimate screen recording to file exfiltration within a year. Retrieved December 18, 2023. ↩
-
Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023. ↩
-
Kucherin, G., et al. (2023, June 21). Dissecting TriangleDB, a Triangulation spyware implant. Retrieved April 18, 2024. ↩↩
-
R. Iarchy, E. Rynkowski. (2018, July 5). GoldenCup: New Cyber Threat Targeting World Cup Fans. Retrieved October 29, 2020. ↩
-
Michael Flossman. (2017, October 5). FrozenCell: Multi-platform surveillance campaign against Palestinians. Retrieved November 11, 2020. ↩
-
S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021. ↩
-
B. Toulas. (2022, March 12). Android malware Escobar steals your Google Authenticator MFA codes. Retrieved September 28, 2023. ↩
-
Gupta, N. (2022, October 5). We Smell A RatMilad Android Spyware. Retrieved August 27, 2025. ↩
-
The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021. ↩
-
Stefanko, L. (2023, January 10). StrongPity espionage campaign targeting Android users. Retrieved January 31, 2023. ↩
-
Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021. ↩