216.73.217.22

T1513: Screen Capture

View on MITRE ATT&CK The MITRE Corporation · Published 17/12/2025 22:48 · Modified 27/03/2026 01:41

Essential information

MITRE technique ID
T1513
Confidence
100/100
Revoked
No
Published
17/12/2025 22:48
Modified
27/03/2026 01:41
Author / Source
The MITRE Corporation

Aliases

T1513

Platforms

android

Description

Adversaries may use screen capture to collect additional information about a target device, such as applications running in the foreground, user data, credentials, or other sensitive information. Applications running in the background can capture screenshots or videos of another application running in the foreground by using the Android `MediaProjectionManager` (generally requires the device user to grant consent).(Citation: Fortinet screencap July 2019)(Citation: Android ScreenCap1 2019) Background applications can also use Android accessibility services to capture screen contents being displayed by a foreground application.(Citation: Lookout-Monokle) An adversary with root access or Android Debug Bridge (adb) access could call the Android `screencap` or `screenrecord` commands.(Citation: Android ScreenCap2 2019)(Citation: Trend Micro ScreenCap July 2015)

Kill chain phases

Kill chainPhase
mitre-mobile-attack collection

Marking (TLP)

TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.

External references

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.