Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0673: Detection of Audio Capture

This detection strategy concerns mobile audio capture: malicious or unwanted access to a device microphone to collect conversations, surroundings, calls, o...

MobileDET0673Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This detection strategy concerns mobile audio capture: malicious or unwanted access to a device microphone to collect conversations, surroundings, calls, or other sensitive information. The ATT&CK detection-strategy object itself is sparse, but its relationship to Mobile ATT&CK technique T1429 makes the business issue clear: organizations that rely on mobile devices for executives, privileged staff, field operations, or regulated conversations should be able to prove how microphone access is governed, monitored, and investigated on Android and iOS.

Executive priority

Prioritize this as a privacy, executive protection, regulatory, and incident-readiness question rather than only a malware question. Leaders should ask whether mobile device management, application approval, permission governance, and SOC/IR workflows can identify inappropriate microphone access and preserve evidence during a suspected mobile compromise. This is especially relevant where mobile devices are used in sensitive meetings, operational environments, or regulated communications.

Technical view

The source object provides no official detection logic, platforms, or tactics, so defenders should anchor validation on the related technique T1429. For Android and iOS, confirm whether the organization can inventory applications with microphone permissions, identify new or unusual permission grants, review app permission changes during incident response, and correlate microphone access concerns with mobile security alerts, device compliance state, application provenance, and user reports. On Android, the related ATT&CK description specifically notes RECORD_AUDIO and CAPTURE_AUDIO_OUTPUT as relevant permissions.

Likely telemetry

  • Mobile device management or enterprise mobility management inventory for installed applications and granted permissions
  • Android application permission data, especially RECORD_AUDIO and CAPTURE_AUDIO_OUTPUT where available
  • iOS application privacy permission state for microphone access where available through management tooling
  • Mobile threat defense or endpoint security alerts related to suspicious app behavior
  • Application installation source, signing, version, and update history

Detection direction

  • Validate that mobile telemetry can answer which apps have microphone access on Android and iOS, not just whether a device is enrolled.
  • Tune review workflows around newly granted microphone permissions, high-risk apps, unmanaged apps, or apps outside approved business need.
  • Correlate permission access with app provenance, device compromise indicators, and user/device risk rather than treating every microphone permission as malicious; many legitimate communications and collaboration apps require it.
  • Include incident-response checks for recent app installs, permission changes, and device compliance state when investigating suspected audio capture.
  • Document blind spots where personal devices, unmanaged mobile apps, limited iOS visibility, or missing mobile threat defense telemetry prevent reliable investigation.

Mitigation priorities

  • Establish approved-app and least-permission governance for mobile devices used in business contexts.
  • Use MDM/EMM controls where available to inventory applications, restrict risky app sources, and review microphone permission exposure.
  • Require mobile incident-response procedures that include permission review, app provenance checks, and preservation of relevant device-management evidence.
  • Educate users to report unexpected microphone prompts, privacy indicators, or suspicious mobile app behavior.
  • Use the resulting evidence to support compliance and privacy assurance where sensitive conversations or regulated information may be exposed.
Analyst notes and limits

ATT&CK provides this as detection strategy DET0673 for Detection of Audio Capture and relates it to mobile technique T1429 Audio Capture. The strategy object has no official description or detection text, so this take focuses on defensible validation questions derived from the relationship context and the supplied Android/iOS technique description.

Coverage cannot be assumed from this object. The detection strategy lists no platforms or tactics and provides no official detection analytics. Actual visibility depends on the organization’s mobile management stack, mobile threat defense capabilities, device ownership model, OS restrictions, and whether Android/iOS permission and app telemetry are collected and retained.

Official MITRE ATT&CK definition

Detection of Audio Capture

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Mobile T1429 Audio Capture This object detects Audio Capture.
Relationship explorer

All related ATT&CK context

detects · Technique T1429: Audio Capture Mobile
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
c3f32d27b1b0d6d0...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle c3f32d27b1b0…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0673
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use