T1636.005 Accounts
Adversaries may utilize standard operating system APIs to gather account data. On Android, this can be accomplished by using the AccountManager API. For example, adversaries may use the getAccounts() method to list all accounts.1 On iOS, this can be accomplished by using the Keychain services.
If the device has been jailbroken or rooted, adversaries may be able to access Accounts without the users’ knowledge or approval.
| Item | Value |
|---|---|
| ID | T1636.005 |
| Sub-techniques | T1636.001, T1636.002, T1636.003, T1636.004, T1636.005 |
| Tactics | TA0035 |
| Platforms | Android, iOS |
| Version | 1.0 |
| Created | 17 September 2025 |
| Last Modified | 17 September 2025 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| S1243 | DCHSpy | DCHSpy has collected account names and their types from the device.3 |
| S1241 | RatMilad | RatMilad has collected account names and their types from the compromised device.2 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1006 | Use Recent OS Version | OS feature updates often enhance security and privacy around permissions. |
| M1011 | User Guidance | Access to accounts is an uncommonly needed permission, so users should be instructed to use extra scrutiny when granting access to their accounts. |
References
-
Android. (2025, February 13). AccountManager. Retrieved September 2, 2025. ↩
-
Gupta, N. (2022, October 5). We Smell A RatMilad Android Spyware. Retrieved August 27, 2025. ↩
-
Albrecht, J., Islamoglu, A. (2025, July 21). Lookout Discovers Iranian APT MuddyWater Leveraging DCHSpy During Israel-Iran Conflict . Retrieved September 19, 2025. ↩