Skip to content

T1420 File and Directory Discovery

On Android, command line tools or the Java file APIs can be used to enumerate file system contents. However, Linux file permissions and SELinux policies generally strongly restrict what can be accessed by apps (without taking advantage of a privilege escalation exploit). The contents of the external storage directory are generally visible, which could present concern if sensitive data is inappropriately stored there.

iOS’s security architecture generally restricts the ability to perform file and directory discovery without use of escalated privileges.

Item Value
ID T1420
Tactics TA0032
Platforms Android
Version 1.0
Created 25 October 2017
Last Modified 17 October 2018

Procedure Examples

ID Name Description
S0529 CarbonSteal CarbonSteal has searched device storage for various files, including .amr files (audio recordings) and superuser binaries.2
S0505 Desert Scorpion Desert Scorpion can list files stored on external storage.1
S0550 DoubleAgent DoubleAgent has searched for specific existing data directories, including the Gmail app, Dropbox app, Pictures, and thumbnails.2
S0577 FrozenCell FrozenCell has searched for pdf, doc, docx, ppt, pptx, xls, and xlsx file types for exfiltration.5
S0535 Golden Cup Golden Cup can collect a directory listing of external storage.3
S0551 GoldenEagle GoldenEagle has looked for .doc, .txt, .gif, .apk, .jpg, .png, .mp3, and .db files on external storage.2
S0549 SilkBean SilkBean can get file lists on the SD card.2
S0558 Tiktok Pro Tiktok Pro can list all hidden files in the /DCIM/.dat/ directory.4
G0112 Windshift Windshift has included file enumeration in the malicious apps deployed as part of Operation BULL and Operation ROCK.6


ID Mitigation Description
M1006 Use Recent OS Version Increase difficulty of escalating privileges, as security architecture improvements in each new version of Android and iOS make it more difficult to escalate privileges. Additionally, newer versions of Android have strengthened the sandboxing applied to applications, restricting their ability to enumerate file system contents.


Back to top