Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0659: Detection of Conceal Multimedia Files

DET0659 is a mobile ATT&CK detection strategy for identifying attempts to conceal multimedia files, specifically related to the Android technique where adv...

MobileDET0659Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0659 is a mobile ATT&CK detection strategy for identifying attempts to conceal multimedia files, specifically related to the Android technique where adversaries may hide captured pictures, videos, or screenshots from normal user-facing gallery views. The business significance is not the file-hiding mechanism alone; it is that sensitive media may be collected and staged on mobile devices without obvious user visibility before later exfiltration.

Executive priority

Security leaders should treat this as a mobile data-protection and incident-response readiness issue. If Android devices are in scope for executives, field staff, regulated workflows, or cyber-physical operations, leaders should ask whether mobile telemetry, device management, and IR procedures can identify hidden media staging rather than relying on users noticing suspicious files. This can support decisions around mobile visibility, acceptable-use monitoring, evidence preservation, and compliance readiness for sensitive image or video data.

Technical view

The ATT&CK object provides no official detection logic, platforms, or tactics, but its relationship states that it detects T1628.003 Conceal Multimedia Files, a mobile Android technique involving use of a `.nomedia` file to prevent multimedia in a folder from appearing in Gallery and from being scanned by some applications. SOC and IR teams should validate whether Android endpoint, mobile device management, file-system, or forensic collection sources can reveal folders containing `.nomedia` alongside media files, especially in unusual application-controlled paths or locations associated with suspected capture activity.

Likely telemetry

  • Android file-system inventory or forensic collection showing `.nomedia` files and adjacent multimedia files
  • Mobile device management or enterprise mobility telemetry, where available, for application storage and file changes
  • Application inventory and storage-path context for apps that create or manage media files
  • Incident response acquisition data from Android devices when user-visible Gallery contents do not match stored media
  • Alerts or logs from mobile security controls that report suspicious hidden files, media staging, or abnormal app storage behavior

Detection direction

  • Confirm whether current mobile monitoring can see hidden media locations; user-facing Gallery visibility is not sufficient evidence of absence.
  • Look for `.nomedia` files in folders that also contain pictures, videos, or screenshots, and prioritize unusual paths or app directories inconsistent with expected business use.
  • Tune carefully because `.nomedia` can be used legitimately by Android applications; detections should consider folder location, owning application, media volume, timing, and incident context.
  • During investigations, compare user-visible media results with file-system or forensic views to identify concealed multimedia staging.
  • Because the official detection field is not provided, detection engineering should document local assumptions, data-source availability, and false-positive handling rather than treating DET0659 as a complete analytic.

Mitigation priorities

  • Establish mobile visibility requirements for Android devices that handle sensitive media, including the ability to inspect relevant storage locations during authorized investigations.
  • Use mobile device management and mobile security controls, where available, to restrict untrusted applications and preserve investigation access to device storage evidence.
  • Define IR playbooks for suspected mobile media capture or staging, including forensic collection steps and chain-of-custody expectations.
  • Educate risk owners that absence of files in Gallery does not prove absence of stored media on Android devices.
  • Align mobile data-handling policies with compliance obligations for screenshots, photos, videos, and other sensitive multimedia collected on enterprise-managed devices.
Analyst notes and limits

The strongest decision value is to verify whether the organization can observe concealed multimedia on Android devices rather than relying on user-visible applications. The relationship to T1628.003 provides the relevant behavior and Android context; the detection strategy object itself is sparse and does not include official detection text.

ATT&CK provides no official description, detection logic, tactics, or platforms for DET0659 in the supplied fields. The Android-specific context comes from the related technique T1628.003, not from the detection strategy object’s own platform field. Local device management architecture, privacy rules, logging depth, and forensic authority will determine practical coverage.

Official MITRE ATT&CK definition

Detection of Conceal Multimedia Files

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Mobile T1628.003 Conceal Multimedia Files Sub-technique This object detects Conceal Multimedia Files.
Relationship explorer

All related ATT&CK context

detects · Technique T1628.003: Conceal Multimedia Files Mobile
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
3d1b96cc3be4da5b...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 3d1b96cc3be4…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0659
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use