T1628.003: Conceal Multimedia Files
Adversaries may attempt to hide multimedia files from the user. By doing so, adversaries may conceal captured files, such as pictures, videos and/or screenshots, then later exfiltrate those files.
Specific to Android devices, if the `.nomedia` file is present in a folder, multimedia files in that folder will not be visible to the user in the Gallery application. Additionally, other applications are asked not to scan the folder with the `.nomedia` file, effectively making the folder appear invisible to the user.
This technique is often used by stalkerware and spyware applications.
Analyst context for executives and security teams
Conceal Multimedia Files is an Android mobile technique where an adversary hides captured pictures, videos, or screenshots from the user, commonly by placing them in folders that Android media apps are asked not to scan. The business issue is not the hidden file itself; it is that surveillance-oriented apps can reduce the chance a user notices captured sensitive media before later exfiltration.
Executive priority
Treat this as a mobile privacy, executive protection, and incident-response readiness concern. It matters most where Android devices may handle sensitive conversations, site images, personal data, government information, critical infrastructure context, or regulated evidence. Leaders should ask whether the organization can investigate Android devices for hidden media artifacts, whether mobile monitoring is authorized and privacy-aware, and how suspected spyware or stalkerware findings would be escalated. ATT&CK associates this technique with a 'Do Not Mitigate' mitigation category, so priority should be on detection, investigation, user support, and device governance rather than trying to block all legitimate media-hiding behavior.
Technical view
For SOC, mobile security, and IR teams, validate whether Android device investigations can identify hidden multimedia storage locations, especially folders containing a `.nomedia` file and media files not visible in the Gallery application. Because ATT&CK provides no official detection text for this object, teams should use the related DET0659 detection strategy as a starting point but confirm the actual logic, data sources, permissions, and privacy constraints in their own environment. This sub-technique sits under Hide Artifacts, so it should be assessed alongside other signs of mobile artifact concealment and suspicious applications, not as a standalone indicator of compromise.
Likely telemetry
- Android filesystem inventory or forensic collection showing folders and `.nomedia` files
- Lists of multimedia files stored outside normal user-visible Gallery views
- Mobile device management or mobile threat defense application inventory, where available
- Application permission and behavior context for apps that can capture images, video, or screenshots
- User reports of suspected surveillance, missing media visibility, or unexpected device behavior
Detection direction
- Confirm whether the organization can enumerate `.nomedia` files and correlate them with hidden pictures, videos, or screenshots on Android devices under investigation.
- Tune analysis to distinguish legitimate app cache or media-management behavior from suspicious concealment, since `.nomedia` can have benign uses.
- Prioritize detections when hidden media appears near suspicious, untrusted, or privacy-invasive applications, especially apps with access to camera, storage, screen capture, or similar sensitive capabilities.
- Avoid relying on the Gallery application or user-visible media views as evidence that sensitive media is absent from the device.
- Use the relationship to Hide Artifacts to look for broader concealment behavior during mobile IR, not only hidden multimedia files.
Mitigation priorities
- Do not implement broad mitigation that blocks or removes all `.nomedia` usage; ATT&CK maps this technique to M1059 Do Not Mitigate, indicating that mitigation may increase risk or cause undesirable side effects.
- Focus first on mobile governance: approved app sources, device enrollment expectations, user reporting paths, and incident triage procedures for suspected spyware or stalkerware.
- Strengthen investigation readiness by ensuring responders have an authorized method to collect Android filesystem and application context when a device is in scope.
- Use least-privilege and mobile application review practices to reduce unnecessary access to camera, storage, screenshots, and other sensitive capabilities where organizationally manageable.
- For high-risk users, consider security awareness and support processes that explain why hidden media artifacts may matter and how to report concerns safely.
Analyst notes and limits
The supplied ATT&CK object is Android-specific and describes concealment of multimedia files, including use of `.nomedia`, often by stalkerware and spyware applications. Relationship context includes a detection strategy, DET0659, and one group relationship to Windshift; this summary does not infer current activity or customer exposure from that relationship.
MITRE provides no official detection text, no tactics for this object, and no detailed DET0659 logic in the supplied fields. Local Android telemetry availability, user consent, device ownership model, and mobile security tooling will determine whether this behavior can be observed reliably.
Conceal Multimedia Files
Adversaries may attempt to hide multimedia files from the user. By doing so, adversaries may conceal captured files, such as pictures, videos and/or screenshots, then later exfiltrate those files.
Specific to Android devices, if the `.nomedia` file is present in a folder, multimedia files in that folder will not be visible to the user in the Gallery application. Additionally, other applications are asked not to scan the folder with the `.nomedia` file, effectively making the folder appear invisible to the user.
This technique is often used by stalkerware and spyware applications.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Related techniques
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1628 | Hide Artifacts | This object subtechnique of Hide Artifacts. |
Groups, software, and campaigns
G0112: Windshift
All related ATT&CK context
Mitigation direction
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 297a9713fc0e… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack T1628.003Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.