T1429 · threatengine.sh

Home/ATT&CK Technique/Audio Capture

MOBILE ATT&CK

Audio Capture

T1429 · collection

Adversaries may capture audio to collect information by leveraging standard operating system APIs of a mobile device. Examples of audio information adversaries may target include user conversations, surroundings, phone calls, or other sensitive information. Android and iOS, by default, require that applications request device microphone access from the user.

On Android devices, applications must hold the RECORD_AUDIO permission to access the microphone or the CAPTURE_AUDIO_OUTPUT permission to access audio output. Because Android does not allow third-party applications to hold the CAPTURE_AUDIO_OUTPUT permission by default, only privileged applications, such as those distributed by Google or the device vendor, can access audio output. However, adversaries may be able to gain this access after successfully elevating their privileges.

With the CAPTURE_AUDIO_OUTPUT permission, adversaries may pass the MediaRecorder.AudioSource.VOICE_CALL constant to MediaRecorder.setAudioOutput, allowing capture of both voice call uplink and downlink. On iOS devices, applications must include the NSMicrophoneUsageDescription key in their Info.plist file to access the microphone.

AndroidiOS

◆

Actors Using This

13

iranAPT39
private_mercenaryBahamut
indiaBitter
israel_private_sector_mobile_forensics_cyber_mercenaryCellebrite
italyCy4Gate
lebanonDark Caracal
indiaDoNot Team
italyeSurv
spainMollitiam Industries
pakistanTransparent Tribe
italyNegg Group
pakistanSideCopy
united_arab_emiratesWindshift

◈

Likely Attack Path

Techniques the same actors pair with this one distinctively - those showing up among actors who use this technique noticeably more than across all actors (lift > 1.15), grouped by kill-chain phase. The × is that lift multiplier; the shared-actor count is in the tooltip. A near-universal technique pairs with everything at baseline, so its list is short by design.

initial-access earlier

T1456 · Drive-By Compromise ×18.31 T1458 · Replication Through Removable Media ×18.31

defense-evasion earlier

T1406 · Obfuscated Files or Information ×18.31

discovery earlier

T1422 · System Network Configuration Discovery ×18.31 T1426 · System Information Discovery ×18.31

collection same

T1409 · Stored Application Data ×18.31 T1430.001 · Remote Device Management Services ×18.31 T1636.001 · Calendar Entries ×18.31 T1636.002 · Call Log ×18.31 T1636.003 · Contact List ×18.31 T1636.004 · SMS Messages ×18.31 T1414 · Clipboard Data ×18.31 T1512 · Video Capture ×18.31

command-and-control later

T1437 · Application Layer Protocol ×18.31 T1437.001 · Web Protocols ×18.31

◈

Detection Coverage

0/6 layers

Coverage across standard detection surfaces. Rows marked none have no rule of that type mapped. Some are real blind spots worth closing; others are simply not applicable to this technique (e.g. YARA matches malware files, not network behaviour).

Behavioral / log (Sigma) none

Analytics (MITRE CAR) none

Runtime / container (Falco) none

File / malware (YARA) none

Network (Suricata/Snort) none

Vuln scan (Nuclei) none

Intelligence Graph · click any node to traverse

CVETechnique ActorTool Family

drag to reposition · click any node to traverse · button top-right enlarges

External lookups - second-class, for what we don’t hold ourselves

MITRE ATT&CK Atomic Red Team car (MITRE)

Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities

Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs

Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures

Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1

About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service

threatengine.sh · Open-source threat intelligence platform · 100+ authoritative sources · Every fact traces to its origin