T1628.003 Conceal Multimedia Files
Adversaries may attempt to hide multimedia files from the user. By doing so, adversaries may conceal captured files, such as pictures, videos and/or screenshots, then later exfiltrate those files.
Specific to Android devices, if the .nomedia file is present in a folder, multimedia files in that folder will not be visible to the user in the Gallery application. Additionally, other applications are asked not to scan the folder with the .nomedia file, effectively making the folder appear invisible to the user.
This technique is often used by stalkerware and spyware applications.
| Item | Value |
|---|---|
| ID | T1628.003 |
| Sub-techniques | T1628.001, T1628.002, T1628.003 |
| Tactics | TA0030 |
| Platforms | Android |
| Version | 1.0 |
| Created | 20 February 2024 |
| Last Modified | 17 April 2024 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| G0112 | Windshift | Windshift has hidden multimedia files from the user.1 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1059 | Do Not Mitigate | Conceal Multimedia Files likely should not be mitigated with preventative controls because the .nomedia file may be used legitimately. |