T1636.002: Call Log
Adversaries may utilize standard operating system APIs to gather call log data. On Android, this can be accomplished using the Call Log Content Provider. iOS provides no standard API to access the call log.
If the device has been jailbroken or rooted, an adversary may be able to access the Call Log without the user’s knowledge or approval.
Analyst context for executives and security teams
Call log access is a mobile data-collection behavior where an app or compromised device can expose who a user communicated with and when. For executives and security leaders, the risk is not only privacy: call metadata can reveal sensitive relationships, investigations, customers, executives, legal contacts, or operational activity. Android supports call log access through operating system APIs when permissions or elevated access allow it; iOS has no standard call log API, so access is more associated with jailbreak/root-style conditions or escalated privileges.
Executive priority
Prioritize this as a mobile privacy, executive protection, and incident scoping issue rather than a standalone endpoint alert. Leaders should ask whether managed mobile devices restrict risky apps and permissions, whether jailbroken or rooted devices are detected, and whether incident response can determine if call metadata was exposed. This also matters for compliance evidence where call records or contact patterns may be sensitive personal or business data.
Technical view
SOC, mobile security, and IR teams should validate coverage on Android and iOS separately. On Android, review whether mobile management, app vetting, or endpoint telemetry can identify apps requesting or using call log-related permissions and whether those requests are expected for the app’s business purpose. On iOS, focus validation on jailbreak indicators and unauthorized access paths because the supplied ATT&CK description states there is no standard iOS API for call log access. ATT&CK provides no official detection text for this object, but the related detection strategy DET0602 indicates detection content exists at the strategy level and should be reviewed before claiming coverage.
Likely telemetry
- Mobile device management inventory and compliance state
- Installed mobile application inventory
- Android application manifest permissions related to call log access
- User permission grant state where available
- Jailbreak or root detection signals
Detection direction
- Validate whether Android apps with call log access are rare, approved, and justified by business function.
- Tune detections to distinguish expected telecom, dialer, or enterprise communications apps from unusual third-party apps requesting protected user data.
- For iOS, prioritize detection of jailbroken devices or other elevated-access conditions rather than looking for normal API usage.
- Use relationship context from known mobile malware and spyware entries as threat-informed test cases, without assuming those tools are present in the environment.
- Account for blind spots on personally owned or unmanaged devices, devices outside mobile management, and cases where users approve permissions without understanding the data exposure.
Mitigation priorities
- Apply user guidance so users understand mobile permission prompts, risky app installation behavior, and the significance of call log access.
- Reduce exposure through managed app allowlisting, app vetting, and review of permission-backed data access on enrolled devices.
- Monitor and enforce compliance against rooted or jailbroken devices where policy allows.
- Include call log exposure questions in mobile incident response playbooks, especially for executives, legal, finance, investigations, or operational roles.
- Retain evidence of policy, user guidance, device compliance checks, and app review decisions for audit and privacy readiness.
Analyst notes and limits
This object is a sub-technique of T1636 Protected User Data and supersedes the revoked T1433 Access Call Log. ATT&CK relationships show use by multiple mobile software entries and campaign C0033, which supports its relevance for threat-informed mobile defense. The supplied object has no ATT&CK tactics and no official detection text, so local control validation is required.
This take is limited to the supplied ATT&CK fields, external references, and relationships. It does not establish active exploitation, customer exposure, attribution, or guaranteed detectability. Detection and mitigation feasibility depend on device ownership model, mobile management coverage, OS version, app inventory, permission visibility, and whether devices are rooted or jailbroken.
Call Log
Adversaries may utilize standard operating system APIs to gather call log data. On Android, this can be accomplished using the Call Log Content Provider. iOS provides no standard API to access the call log.
If the device has been jailbroken or rooted, an adversary may be able to access the Call Log without the user’s knowledge or approval.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Related techniques
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1433 | Access Call Log | Access Call Log revoked by this object. |
| Mobile | T1636 | Protected User Data | This object subtechnique of Protected User Data. |
Groups, software, and campaigns
S1241: RatMilad
RatMilad is an Android remote access tool (RAT) with spyware functionality that has been used to target enterprise mobile devices in the Middle East since at least 2021. Variants of RatMilad have been disguised as VPN applications and a fake app named NumRent. Upon installation, RatMilad employs multiple Collection techniques to collect sensitive information before uploading the collected data to its command and control (C2) server. [1]
S0544: HenBox
S9006: VajraSpy
VajraSpy is Android malware distributed via trojanized messaging and news applications. It has been used to target individuals in Pakistan and India since at least 2021 and has been delivered through the Google Play Store, malicious domains, and other uncontrolled distribution channels. VajraSpy is attributed with high confidence to Patchwork which has used the malware to conduct targeted espionage, primarily against devices in Pakistan.[1][2][3]
S0489: WolfRAT
S0292: AndroRAT
AndroRAT is an open-source remote access tool for Android devices. AndroRAT is capable of collecting data, such as device location, call logs, etc., and is capable of executing actions, such as sending SMS messages and taking pictures.[1][2][3] It is originally available through the `The404Hacking` Github repository.[2]
S1080: Fakecalls
S0304: Android/Chuli.A
Android/Chuli.A is Android malware that was delivered to activist groups via a spearphishing email with an attachment. [1]
S0289: Pegasus for iOS
Pegasus for iOS is the iOS version of malware that has reportedly been linked to the NSO Group. It has been advertised and sold to target high-value victims.[1][2] The Android version is tracked separately under Pegasus for Android.
S0425: Corona Updates
Corona Updates is Android spyware that took advantage of the Coronavirus pandemic. The campaign distributing this spyware is tracked as Project Spy. Multiple variants of this spyware have been discovered to have been hosted on the Google Play Store.[1]
S0399: Pallas
Pallas is mobile surveillanceware that was custom-developed by Dark Caracal.[1]
S0316: Pegasus for Android
Pegasus for Android is the Android version of malware that has reportedly been linked to the NSO Group. [1] [2] The iOS version is tracked separately under Pegasus for iOS.
S0550: DoubleAgent
DoubleAgent is a family of RAT malware dating back to 2013, known to target groups with contentious relationships with the Chinese government.[1]
C0033: C0033
C0033 was a PROMETHIUM campaign during which they used StrongPity to target Android users. C0033 was the first publicly documented mobile campaign for PROMETHIUM, who previously used Windows-based techniques.[1]
All related ATT&CK context
Mitigation direction
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | d407e4a95f76… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
NIST Mobile Threat Catalogue APP-13Open source URL
-
[2]
mitre-attack T1636.002Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.