T1636.001: Calendar Entries
Adversaries may utilize standard operating system APIs to gather calendar entry data. On Android, this can be accomplished using the Calendar Content Provider. On iOS, this can be accomplished using the `EventKit` framework.
If the device has been jailbroken or rooted, an adversary may be able to access Calendar Entries without the user’s knowledge or approval.
Analyst context for executives and security teams
Calendar Entries is a mobile data-access behavior where an app uses normal Android or iOS APIs to read calendar data, or may bypass user approval if the device is rooted or jailbroken. For leaders, this matters because calendars often expose meetings, locations, relationships, travel, and sensitive operational plans even when email or document controls are strong.
Executive priority
Treat this as a mobile privacy and operational-security risk, especially for executives, legal, finance, government-facing, and field teams. The key business question is whether the organization can prove which mobile apps are permitted to access calendar data, whether high-risk devices are rooted or jailbroken, and whether user guidance and mobile governance are sufficient audit evidence for protecting permission-backed data stores.
Technical view
Validate coverage on Android and iOS for access to permission-backed calendar data. On Android, focus on apps declaring or using calendar access through the Calendar Content Provider and related manifest permissions. On iOS, focus on apps declaring and using EventKit access through Info.plist permissions and user consent flows. Because ATT&CK provides no official detection text for this technique, SOC and mobile security teams should map local telemetry to the related detection strategy DET0674 and test whether calendar-access events, app permissions, app inventory, and jailbreak/root status are observable.
Likely telemetry
- Mobile app inventory and package/bundle metadata
- Android application manifest permissions related to calendar access
- iOS Info.plist permission declarations related to EventKit/calendar access
- User consent or permission grant state for calendar access
- Mobile device management or enterprise mobility management posture data
Detection direction
- Baseline which approved apps legitimately need calendar access and alert on unexpected or newly installed apps requesting it.
- Correlate calendar-access permissions with app source, device ownership model, and user role to reduce false positives from legitimate productivity apps.
- Prioritize devices with root or jailbreak indicators because the ATT&CK description notes calendar entries may be accessed without user knowledge or approval in those states.
- Use the relationship to DET0674 as a prompt to verify an explicit mobile detection strategy exists; ATT&CK does not provide built-in detection logic for this object.
- Consider relationship context: ATT&CK links this technique to multiple mobile software entries, including Android surveillanceware/malware families, so detections should not rely only on known family names.
Mitigation priorities
- Apply user guidance, consistent with M1011, so users understand calendar permission prompts and risky app installation behavior.
- Restrict or review apps that request calendar access without a clear business need.
- Enforce mobile device posture controls that identify rooted or jailbroken devices before allowing access to sensitive enterprise services.
- Maintain an approved mobile app inventory and permission review process for Android and iOS.
- For high-risk users, periodically audit calendar permission grants and mobile app changes as part of incident readiness and compliance evidence.
Analyst notes and limits
This is a sub-technique of T1636 Protected User Data and replaces the revoked T1435 Access Calendar Entries entry. ATT&CK relationships show use by several mobile software objects, mostly Android-focused in the supplied context, and one broader surveillanceware entry with Android and iOS scope. Use these relationships for threat modeling, not as proof of current activity in any environment.
ATT&CK lists no tactics and provides no official detection text for this technique. The supplied data supports Android and iOS platform coverage, API/permission concepts, user guidance mitigation, and root/jailbreak risk, but local device telemetry is required to determine actual exposure or detection coverage.
Calendar Entries
Adversaries may utilize standard operating system APIs to gather calendar entry data. On Android, this can be accomplished using the Calendar Content Provider. On iOS, this can be accomplished using the `EventKit` framework.
If the device has been jailbroken or rooted, an adversary may be able to access Calendar Entries without the user’s knowledge or approval.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Related techniques
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1636 | Protected User Data | This object subtechnique of Protected User Data. |
| Mobile | T1435 | Access Calendar Entries | Access Calendar Entries revoked by this object. |
Groups, software, and campaigns
S0405: Exodus
S0408: FlexiSpy
S0328: Stealth Mango
Stealth Mango is Android malware that has reportedly been used to successfully compromise the mobile devices of government officials, members of the military, medical professionals, and civilians. The iOS malware known as Tangelo is believed to be from the same developer. [1]
S0316: Pegasus for Android
Pegasus for Android is the Android version of malware that has reportedly been linked to the NSO Group. [1] [2] The iOS version is tracked separately under Pegasus for iOS.
S0407: Monokle
S1082: Sunbird
All related ATT&CK context
Mitigation direction
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 2fb6a4bde838… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
NIST Mobile Threat Catalogue APP-13Open source URL
-
[2]
mitre-attack T1636.001Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.