Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T1406.001: Steganography

Adversaries may use steganography techniques in order to prevent the detection of hidden information. Steganographic techniques can be used to hide data in digital media such as images, audio tracks, video clips, or text files.

MobileT1406.001Sub-techniqueObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

Steganography in the mobile ATT&CK context is the hiding of information inside ordinary-looking media files such as images, audio, video, or text. For an Android environment, this matters because normal file appearance is not enough to establish safety: hidden content can make malicious payloads, configuration, or other data harder for analysts and controls to recognize as suspicious.

Executive priority

Treat this as a mobile defense-evasion and investigation-readiness concern under the broader ATT&CK technique Obfuscated Files or Information. Leaders should ask whether Android fleet security, mobile incident response, and malware analysis processes can preserve and inspect media-like files when needed. The business risk is not that every image or media file is malicious, but that weak mobile telemetry and limited file analysis can delay triage, containment, and evidence production during an incident.

Technical view

For SOC, detection engineering, and IR teams, validation should focus on Android file and application evidence rather than relying on the file extension or visible content. MITRE provides no official detection text for this object, but the relationship to DET0677 indicates a detection strategy exists for steganography. Because this is a sub-technique of Obfuscated Files or Information, teams should test whether mobile malware analysis workflows can identify suspicious embedded or hidden data in media/text files and correlate that with application behavior. The Agent Smith relationship provides relevant context that Android malware has been documented using this behavior, but it should not be treated as evidence of current exposure in any specific environment.

Likely telemetry

  • Android application inventory and package metadata
  • Files created, modified, downloaded, or accessed by Android applications, especially media and text files
  • Mobile security or EDR alerts related to suspicious file handling or obfuscated content
  • Malware analysis artifacts from submitted Android applications and associated resources
  • Network or application transfer records involving media-like files when available

Detection direction

  • Validate whether DET0677-aligned steganography detection logic is implemented or mapped in the mobile detection program.
  • Tune analysis to avoid assuming benignity from common media extensions or normal visual playback alone.
  • Correlate suspicious media/text files with Android app behavior, package lineage, permissions, and unexpected file access patterns.
  • Account for false positives: legitimate applications frequently create and process compressed, encoded, or media-rich content.
  • Confirm whether mobile telemetry retains enough file metadata or samples for later analysis; lack of sample capture is a likely blind spot.

Mitigation priorities

  • Prioritize mobile application vetting and malware analysis for Android apps before and during deployment.
  • Ensure incident response procedures can collect relevant Android files and app artifacts without destroying evidence.
  • Strengthen mobile security monitoring around suspicious file creation, modification, and transfer by applications.
  • Define retention and privacy-aware handling for media and text artifacts that may require forensic review.
  • Document coverage and gaps for steganography detection as part of mobile security and compliance evidence.
Analyst notes and limits

The supplied ATT&CK object is a mobile sub-technique for Android and is linked to the broader Obfuscated Files or Information technique. The only software relationship supplied is Agent Smith, an Android malware family described by MITRE as replacing legitimate applications with malicious versions that include fraudulent ads. This context supports mobile malware relevance but not claims about current exploitation or any organization-specific exposure.

MITRE supplies no official detection text, no tactics for this object, and no mitigation content in the provided fields. Practical coverage depends on local Android telemetry, app analysis capability, file retention, privacy constraints, and whether teams implement or adapt the related DET0677 detection strategy.

Official MITRE ATT&CK definition

Steganography

Adversaries may use steganography techniques in order to prevent the detection of hidden information. Steganographic techniques can be used to hide data in digital media such as images, audio tracks, video clips, or text files.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Mobile T1406 Obfuscated Files or Information This object subtechnique of Obfuscated Files or Information.
Associated objects

Groups, software, and campaigns

Malware Mobile

S0440: Agent Smith

Agent Smith is mobile malware that generates financial gain by replacing legitimate applications on devices with malicious versions that include fraudulent ads. As of July 2019 Agent Smith had infected around 25 million devices, primarily targeting India though effects had been observed in other Asian countries as well as Saudi Arabia, the United Kingdom, and the United States.[1]

Android
Relationship explorer

All related ATT&CK context

detects · Detection Strategy DET0677: Detection of Steganography Mobile subtechnique of · Technique T1406: Obfuscated Files or Information Mobile uses · Malware S0440: Agent Smith Mobile
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
e0aa29c17751ff5f...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle e0aa29c17751…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack T1406.001
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use