Skip to content

T1636.001 Calendar Entries

Adversaries may utilize standard operating system APIs to gather calendar entry data. On Android, this can be accomplished using the Calendar Content Provider. On iOS, this can be accomplished using the EventKit framework.

If the device has been jailbroken or rooted, an adversary may be able to access Calendar Entries without the user’s knowledge or approval.

Item Value
ID T1636.001
Sub-techniques T1636.001, T1636.002, T1636.003, T1636.004
Tactics TA0035
Platforms Android, iOS
Version 1.1
Created 01 April 2022
Last Modified 16 March 2023

Procedure Examples

ID Name Description
S0405 Exodus Exodus Two can exfiltrate calendar events.5
S0408 FlexiSpy FlexiSpy can collect the device calendars.1
S0407 Monokle Monokle can retrieve calendar event information including the event name, when and where it is taking place, and the description.3
S0316 Pegasus for Android Pegasus for Android accesses calendar entries.4
S0328 Stealth Mango Stealth Mango uploads calendar events and reminders.2

Mitigations

ID Mitigation Description
M1011 User Guidance Calendar access is an uncommonly needed permission, so users should be instructed to use extra scrutiny when granting access to their device calendar.

Detection

ID Data Source Data Component
DS0041 Application Vetting Permissions Requests
DS0042 User Interface System Settings

References

  1. Actis B. (2017, April 22). FlexSpy Application Analysis. Retrieved September 4, 2019. 

  2. Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018. 

  3. Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019. 

  4. Mike Murray. (2017, April 3). Pegasus for Android: the other side of the story emerges. Retrieved April 16, 2017. 

  5. Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019.