216.73.217.121

T1409: Stored Application Data

View on MITRE ATT&CK The MITRE Corporation · Published 17/12/2025 22:48 · Modified 27/03/2026 01:41

Essential information

MITRE technique ID
T1409
Confidence
100/100
Revoked
No
Published
17/12/2025 22:48
Modified
27/03/2026 01:41
Author / Source
The MITRE Corporation

Aliases

T1409

Platforms

android iOS

Description

Adversaries may try to access and collect application data resident on the device. Adversaries often target popular applications, such as Facebook, WeChat, and Gmail.(Citation: SWB Exodus March 2019) Due to mobile OS sandboxing, this technique is only possible in three scenarios: * An application stores files in unprotected external storage * An application stores files in its internal storage directory with insecure permissions (e.g. 777) * The adversary gains root permissions on the device

Kill chain phases

Kill chainPhase
mitre-mobile-attack collection

Marking (TLP)

TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.

External references

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.