Mobile Collection consists of techniques adversaries use to gather sensitive data from compromised mobile devices. These include capturing audio and video, accessing contacts and call logs, reading SMS messages, intercepting communications through adversary-in-the-middle attacks, and accessing locally stored application data.
Tactic Overview
Tactic ID: TA0035 — Matrix: Mobile — Techniques: 15
The Collection tactic represents a phase in the adversary lifecycle where the adversary is trying to gather data of interest to their goal. This tactic is part of the MITRE ATT&CK Mobile matrix and encompasses 15 known techniques that adversaries employ during this phase of an attack.
Understanding this tactic is critical for defenders to build effective detection strategies and implement appropriate countermeasures. Organizations should map their security controls against each technique to identify coverage gaps and prioritize defensive investments.
Techniques (15)
The following techniques are categorized under the Collection tactic in the MITRE ATT&CK Mobile matrix:
| Technique ID | Name | Description | MITRE Reference |
|---|---|---|---|
T1453 | Abuse Accessibility Features | Adversaries abuse mobile accessibility services to capture screen content, keystrokes, and control device input. | T1453 |
T1517 | Access Notifications | Adversaries abuse notification access to read OTP codes, authentication tokens, and sensitive messages. | T1517 |
T1638 | Adversary-in-the-Middle | Adversaries intercept mobile network communications to capture credentials and modify data in transit. | T1638 |
T1532 | Archive Collected Data | Adversaries compress and encrypt data collected from mobile devices before exfiltration. | T1532 |
T1429 | Audio Capture | Adversaries capture audio through mobile device microphones to eavesdrop on conversations. | T1429 |
T1616 | Call Control | Adversaries manipulate phone call functionality to redirect calls, block calls, or make unauthorized calls. | T1616 |
T1414 | Clipboard Data | Adversaries capture mobile clipboard contents to steal credentials, cryptocurrency addresses, and other sensitive data. | T1414 |
T1533 | Data from Local System | Adversaries collect data from the mobile device's local file system including documents, photos, and databases. | T1533 |
T1417 | Input Capture (2 sub-techniques) | Adversaries capture user input through mobile keyloggers and GUI input capture to steal credentials and data. | T1417 |
T1676 | Linked Devices | Adversaries exploit linked device features to access and collect data from companion devices and services. | T1676 |
T1430 | Location Tracking (2 sub-techniques) | Adversaries track the physical location of mobile devices using GPS, cell tower data, and Wi-Fi signals. | T1430 |
T1636 | Protected User Data (5 sub-techniques) | Adversaries access protected mobile user data including contacts, call logs, SMS messages, and calendar entries. | T1636 |
T1513 | Screen Capture | Adversaries capture mobile device screenshots to observe user activity and collect displayed information. | T1513 |
T1409 | Stored Application Data | Adversaries access data stored by mobile applications in databases, shared preferences, and local files. | T1409 |
T1512 | Video Capture | Adversaries capture video through mobile device cameras for surveillance and intelligence gathering. | T1512 |
Detection & Mitigation
Organizations should implement layered defenses addressing each technique within this tactic. Below are key mitigation strategies recommended by Mjolnir Security analysts.
Key Mitigations
- App permission management
- Microphone/camera indicators
- Data encryption at rest
- Secure messaging applications
- Regular permission audits
Detection Strategies
Effective detection of Collection techniques requires a combination of log analysis, behavioral monitoring, and threat intelligence correlation. Security teams should focus on establishing baselines for normal activity and alerting on deviations that may indicate adversary behavior aligned with this tactic.
- SIEM Integration: Correlate events across multiple data sources to detect technique patterns
- Behavioral Analytics: Deploy UEBA solutions to identify anomalous activity indicative of this tactic
- Threat Hunting: Proactively search for indicators of techniques within this tactic using hypothesis-driven investigations
- Purple Teaming: Regularly test detection coverage by simulating techniques from this tactic
Associated Threat Actors
The following threat actors are known to heavily leverage techniques from the Collection tactic:
For comprehensive threat actor profiles, visit the APT Groups Hub.
Resources & References
Defend Against Collection Techniques
Mjolnir Security provides expert threat intelligence, purple team exercises, and detection engineering services to help organizations defend against adversary tactics mapped to the MITRE ATT&CK framework.
Stay updated on MITRE ATT&CK developments and threat intelligence insights.
View All Reports →Written by Mjolnir Security Research — Published March 7, 2026