cti/mobile-attack/attack-pattern/attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760.json

{
    "type": "bundle",
    "id": "bundle--2c0b37e0-8e62-413a-b43e-f93a50aca126",
    "spec_version": "2.0",
    "objects": [
        {
            "type": "attack-pattern",
            "id": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
            "created": "2017-10-25T14:48:12.913Z",
            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "revoked": false,
            "external_references": [
                {
                    "source_name": "mitre-attack",
                    "url": "https://attack.mitre.org/techniques/T1429",
                    "external_id": "T1429"
                },
                {
                    "source_name": "Manifest.permission",
                    "description": "Android Developers. (2022, March 17). Voice Call. Retrieved April 1, 2022.",
                    "url": "https://developer.android.com/reference/android/media/MediaRecorder.AudioSource#VOICE_CALL"
                },
                {
                    "source_name": "Requesting Auth-Media Capture",
                    "description": "Apple Developers. (n.d.). Requesting Authorization for Media Capture on iOS. Retrieved April 1, 2022.",
                    "url": "https://developer.apple.com/documentation/avfoundation/cameras_and_media_capture/requesting_authorization_for_media_capture_on_ios"
                },
                {
                    "source_name": "Android Permissions",
                    "description": "Google. (2021, August 11). Manifest.permission. Retrieved September 22, 2021.",
                    "url": "https://developer.android.com/reference/android/Manifest.permission"
                },
                {
                    "source_name": "Android Privacy Indicators",
                    "description": "Google. (n.d.). Privacy Indicators. Retrieved April 20, 2022.",
                    "url": "https://source.android.com/devices/tech/config/privacy-indicators"
                },
                {
                    "source_name": "iOS Mic Spyware",
                    "description": "ZecOps Research Team. (2021, November 4). How iOS Malware Can Spy on Users Silently. Retrieved April 1, 2022.",
                    "url": "https://blog.zecops.com/research/how-ios-malware-can-spy-on-users-silently/"
                },
                {
                    "source_name": "NIST Mobile Threat Catalogue",
                    "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-19.html",
                    "external_id": "APP-19"
                }
            ],
            "object_marking_refs": [
                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
            ],
            "modified": "2025-10-24T17:48:52.833Z",
            "name": "Audio Capture",
            "description": "Adversaries may capture audio to collect information by leveraging standard operating system APIs of a mobile device. Examples of audio information adversaries may target include user conversations, surroundings, phone calls, or other sensitive information. \n\n \n\nAndroid and iOS, by default, require that applications request device microphone access from the user.  \n\n \n\nOn Android devices, applications must hold the `RECORD_AUDIO` permission to access the microphone or the `CAPTURE_AUDIO_OUTPUT` permission to access audio output. Because Android does not allow third-party applications to hold the `CAPTURE_AUDIO_OUTPUT` permission by default, only privileged applications, such as those distributed by Google or the device vendor, can access audio output.(Citation: Android Permissions) However, adversaries may be able to gain this access after successfully elevating their privileges. With the `CAPTURE_AUDIO_OUTPUT` permission, adversaries may pass the `MediaRecorder.AudioSource.VOICE_CALL` constant to `MediaRecorder.setAudioOutput`, allowing capture of both voice call uplink and downlink.(Citation: Manifest.permission) \n\n \n\nOn iOS devices, applications must include the `NSMicrophoneUsageDescription` key in their `Info.plist` file to access the microphone.(Citation: Requesting Auth-Media Capture)",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "mitre-mobile-attack",
                    "phase_name": "collection"
                }
            ],
            "x_mitre_attack_spec_version": "3.2.0",
            "x_mitre_deprecated": false,
            "x_mitre_domains": [
                "mobile-attack"
            ],
            "x_mitre_is_subtechnique": false,
            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "x_mitre_platforms": [
                "Android",
                "iOS"
            ],
            "x_mitre_version": "3.1",
            "x_mitre_tactic_type": [
                "Post-Adversary Device Access"
            ]
        }
    ]
}