Mobile Credential Access consists of techniques for obtaining credentials from mobile devices. Adversaries may leverage accessibility features, intercept notifications containing OTPs, capture clipboard data, access password stores, or perform keylogging and GUI input capture to steal authentication material.
Tactic Overview
Tactic ID: TA0031 — Matrix: Mobile — Techniques: 6
The Credential Access tactic represents a phase in the adversary lifecycle where the adversary is trying to steal account names, passwords, or other secrets. This tactic is part of the MITRE ATT&CK Mobile matrix and encompasses 6 known techniques that adversaries employ during this phase of an attack.
Understanding this tactic is critical for defenders to build effective detection strategies and implement appropriate countermeasures. Organizations should map their security controls against each technique to identify coverage gaps and prioritize defensive investments.
Techniques (6)
The following techniques are categorized under the Credential Access tactic in the MITRE ATT&CK Mobile matrix:
| Technique ID | Name | Description | MITRE Reference |
|---|---|---|---|
T1453 | Abuse Accessibility Features | Adversaries abuse mobile accessibility services to capture screen content, keystrokes, and control device input. | T1453 |
T1517 | Access Notifications | Adversaries abuse notification access to read OTP codes, authentication tokens, and sensitive messages. | T1517 |
T1414 | Clipboard Data | Adversaries capture mobile clipboard contents to steal credentials, cryptocurrency addresses, and other sensitive data. | T1414 |
T1634 | Credentials from Password Store (1 sub-techniques) | Adversaries access mobile password stores and keychains to steal stored credentials. | T1634 |
T1417 | Input Capture (2 sub-techniques) | Adversaries capture user input through mobile keyloggers and GUI input capture to steal credentials and data. | T1417 |
T1635 | Steal Application Access Token (1 sub-techniques) | Adversaries steal OAuth tokens and API keys from mobile applications to impersonate users. | T1635 |
Detection & Mitigation
Organizations should implement layered defenses addressing each technique within this tactic. Below are key mitigation strategies recommended by Mjolnir Security analysts.
Key Mitigations
- Biometric authentication
- Secure clipboard management
- Accessibility service restrictions
- Notification privacy settings
- Password manager with biometric unlock
Detection Strategies
Effective detection of Credential Access techniques requires a combination of log analysis, behavioral monitoring, and threat intelligence correlation. Security teams should focus on establishing baselines for normal activity and alerting on deviations that may indicate adversary behavior aligned with this tactic.
- SIEM Integration: Correlate events across multiple data sources to detect technique patterns
- Behavioral Analytics: Deploy UEBA solutions to identify anomalous activity indicative of this tactic
- Threat Hunting: Proactively search for indicators of techniques within this tactic using hypothesis-driven investigations
- Purple Teaming: Regularly test detection coverage by simulating techniques from this tactic
Associated Threat Actors
The following threat actors are known to heavily leverage techniques from the Credential Access tactic:
For comprehensive threat actor profiles, visit the APT Groups Hub.
Resources & References
Defend Against Credential Access Techniques
Mjolnir Security provides expert threat intelligence, purple team exercises, and detection engineering services to help organizations defend against adversary tactics mapped to the MITRE ATT&CK framework.
Stay updated on MITRE ATT&CK developments and threat intelligence insights.
View All Reports →Written by Mjolnir Security Research — Published March 7, 2026