T1636.001 Calendar Entries
Adversaries may utilize standard operating system APIs to gather calendar entry data. On Android, this can be accomplished using the Calendar Content Provider. On iOS, this can be accomplished using the EventKit
framework.
If the device has been jailbroken or rooted, an adversary may be able to access Calendar Entries without the user’s knowledge or approval.
Item | Value |
---|---|
ID | T1636.001 |
Sub-techniques | T1636.001, T1636.002, T1636.003, T1636.004 |
Tactics | TA0035 |
Platforms | Android, iOS |
Version | 1.1 |
Created | 01 April 2022 |
Last Modified | 16 March 2023 |
Procedure Examples
ID | Name | Description |
---|---|---|
S0405 | Exodus | Exodus Two can exfiltrate calendar events.5 |
S0408 | FlexiSpy | FlexiSpy can collect the device calendars.1 |
S0407 | Monokle | Monokle can retrieve calendar event information including the event name, when and where it is taking place, and the description.3 |
S0316 | Pegasus for Android | Pegasus for Android accesses calendar entries.4 |
S0328 | Stealth Mango | Stealth Mango uploads calendar events and reminders.2 |
Mitigations
ID | Mitigation | Description |
---|---|---|
M1011 | User Guidance | Calendar access is an uncommonly needed permission, so users should be instructed to use extra scrutiny when granting access to their device calendar. |
Detection
ID | Data Source | Data Component |
---|---|---|
DS0041 | Application Vetting | Permissions Requests |
DS0042 | User Interface | System Settings |
References
-
Actis B. (2017, April 22). FlexSpy Application Analysis. Retrieved September 4, 2019. ↩
-
Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018. ↩
-
Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019. ↩
-
Mike Murray. (2017, April 3). Pegasus for Android: the other side of the story emerges. Retrieved April 16, 2017. ↩
-
Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019. ↩