T1435 Access Calendar Entries
An adversary could call standard operating system APIs from a malicious application to gather calendar entry data, or with escalated privileges could directly access files containing calendar data.
| Item | Value |
|---|---|
| ID | T1435 |
| Sub-techniques | |
| Tactics | TA0035 |
| Platforms | Android, iOS |
| Version | 1.0 |
| Created | 25 October 2017 |
| Last Modified | 17 October 2018 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| S0405 | Exodus | Exodus Two can exfiltrate calendar events.4 |
| S0408 | FlexiSpy | FlexiSpy can collect the device calendars.1 |
| S0407 | Monokle | Monokle can retrieve calendar event information including the event name, when and where it is taking place, and the description.5 |
| S0316 | Pegasus for Android | Pegasus for Android accesses calendar entries.2 |
| S0328 | Stealth Mango | Stealth Mango uploads calendar events and reminders.3 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1005 | Application Vetting | On Android, accessing device calendar data requires that the app hold the READ_CALENDAR permission. Apps that request this permission could be closely scrutinized to ensure that the request is appropriate. On iOS, the app vetting process can determine whether apps access device calendar data, with extra scrutiny applied to any that do so. |
References
-
Actis B. (2017, April 22). FlexSpy Application Analysis. Retrieved September 4, 2019. ↩
-
Mike Murray. (2017, April 3). Pegasus for Android: the other side of the story emerges. Retrieved April 16, 2017. ↩
-
Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018. ↩
-
Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019. ↩
-
Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019. ↩