adpare
108 lines
8.5 KiB
JSON
108 lines
8.5 KiB
JSON
{
|
|
"type": "bundle",
|
|
"id": "bundle--c49afb7c-d3ef-47ce-840e-f31b78ddfcc4",
|
|
"spec_version": "2.0",
|
|
"objects": [
|
|
{
|
|
"type": "attack-pattern",
|
|
"id": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512",
|
|
"created": "2022-04-05T19:48:31.195Z",
|
|
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
|
|
"revoked": false,
|
|
"external_references": [
|
|
{
|
|
"source_name": "mitre-attack",
|
|
"url": "https://attack.mitre.org/techniques/T1417/002",
|
|
"external_id": "T1417.002"
|
|
},
|
|
{
|
|
"source_name": "Felt-PhishingOnMobileDevices",
|
|
"description": "A.P. Felt and D. Wagner. (2011, May 26). Phishing on Mobile Devices. Retrieved August 25, 2016.",
|
|
"url": "http://w2spconf.com/2011/papers/felt-mobilephishing.pdf"
|
|
},
|
|
{
|
|
"source_name": "Android Background",
|
|
"description": "Android Developers. (n.d.). Restrictions on starting activities from the background. Retrieved September 18, 2019.",
|
|
"url": "https://developer.android.com/guide/components/activities/background-starts"
|
|
},
|
|
{
|
|
"source_name": "Cloak and Dagger",
|
|
"description": "Fratantonio, Y., et al.. (2017). Cloak & Dagger. Retrieved September 12, 2024.",
|
|
"url": "https://cloak-and-dagger.org/"
|
|
},
|
|
{
|
|
"source_name": "Group IB Gustuff Mar 2019",
|
|
"description": "Group-IB. (2019, March 28). Group-IB uncovers Android Trojan named \u00abGustuff\u00bb capable of targeting more than 100 global banking apps, cryptocurrency and marketplace applications. Retrieved September 3, 2019.",
|
|
"url": "https://www.group-ib.com/blog/gustuff"
|
|
},
|
|
{
|
|
"source_name": "eset-finance",
|
|
"description": "Luk\u00e1\u0161 \u0160tefanko. (2016, July 7). Fake finance apps on Google Play target users from around the world. Retrieved September 24, 2018.",
|
|
"url": "https://www.welivesecurity.com/2018/09/19/fake-finance-apps-google-play-target-around-world/"
|
|
},
|
|
{
|
|
"source_name": "Hassell-ExploitingAndroid",
|
|
"description": "R. Hassell. (2011, October 12-13). Exploiting Androids for Fun and Profit. Retrieved October 10, 2019.",
|
|
"url": "https://conference.hitb.org/hitbsecconf2011kul/materials/D1T1%20-%20Riley%20Hassell%20-%20Exploiting%20Androids%20for%20Fun%20and%20Profit.pdf"
|
|
},
|
|
{
|
|
"source_name": "XDA Bubbles",
|
|
"description": "Rahman, M.. (2019, May 8). Bubbles in Android Q will fully replace the overlay API in a future Android version. Retrieved September 18, 2019.",
|
|
"url": "https://www.xda-developers.com/android-q-system-alert-window-deprecate-bubbles/"
|
|
},
|
|
{
|
|
"source_name": "NowSecure Android Overlay",
|
|
"description": "Ramirez, T.. (2017, May 25). \u2018SAW\u2019-ing through the UI: Android overlay malware and the System Alert Window permission explained. Retrieved September 18, 2019.",
|
|
"url": "https://www.nowsecure.com/blog/2017/05/25/android-overlay-malware-system-alert-window-permission/"
|
|
},
|
|
{
|
|
"source_name": "ThreatFabric Cerberus",
|
|
"description": "ThreatFabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved September 18, 2019.",
|
|
"url": "https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html"
|
|
},
|
|
{
|
|
"source_name": "Skycure-Accessibility",
|
|
"description": "Yair Amit. (2016, March 3). \u201cAccessibility Clickjacking\u201d \u2013 The Next Evolution in Android Malware that Impacts More Than 500 Million Devices. Retrieved November 17, 2024.",
|
|
"url": "https://web.archive.org/web/20170211204349/https://www.skycure.com/blog/accessibility-clickjacking/"
|
|
},
|
|
{
|
|
"source_name": "NIST Mobile Threat Catalogue",
|
|
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-31.html",
|
|
"external_id": "APP-31"
|
|
}
|
|
],
|
|
"object_marking_refs": [
|
|
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
|
|
],
|
|
"modified": "2025-10-24T17:48:45.045Z",
|
|
"name": "GUI Input Capture",
|
|
"description": "Adversaries may mimic common operating system GUI components to prompt users for sensitive information with a seemingly legitimate prompt. The operating system and installed applications often have legitimate needs to prompt the user for sensitive information such as account credentials, bank account information, or Personally Identifiable Information (PII). Compared to traditional PCs, the constrained display size of mobile devices may impair the ability to provide users with contextual information, making users more susceptible to this technique\u2019s use.(Citation: Felt-PhishingOnMobileDevices)\n\nThere are several approaches adversaries may use to mimic this functionality. Adversaries may impersonate the identity of a legitimate application (e.g. use the same application name and/or icon) and, when installed on the device, may prompt the user for sensitive information.(Citation: eset-finance) Adversaries may also send fake device notifications to the user that may trigger the display of an input prompt when clicked.(Citation: Group IB Gustuff Mar 2019) \n\nAdditionally, adversaries may display a prompt on top of a running, legitimate application to trick users into entering sensitive information into a malicious application rather than the legitimate application. Typically, adversaries need to know when the targeted application and the individual activity within the targeted application is running in the foreground to display the prompt at the proper time. Adversaries can abuse Android\u2019s accessibility features to determine which application is currently in the foreground.(Citation: ThreatFabric Cerberus) Two known approaches to displaying a prompt include:\n\n* Adversaries start a new activity on top of a running legitimate application.(Citation: Felt-PhishingOnMobileDevices)(Citation: Hassell-ExploitingAndroid) Android 10 places new restrictions on the ability for an application to start a new activity on top of another application, which may make it more difficult for adversaries to utilize this technique.(Citation: Android Background)\n* Adversaries create an application overlay window on top of a running legitimate application. Applications must hold the `SYSTEM_ALERT_WINDOW` permission to create overlay windows. This permission is handled differently than typical Android permissions and, at least under certain conditions, is automatically granted to applications installed from the Google Play Store.(Citation: Cloak and Dagger)(Citation: NowSecure Android Overlay)(Citation: Skycure-Accessibility) The `SYSTEM_ALERT_WINDOW` permission and its associated ability to create application overlay windows are expected to be deprecated in a future release of Android in favor of a new API.(Citation: XDA Bubbles)",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "mitre-mobile-attack",
|
|
"phase_name": "credential-access"
|
|
},
|
|
{
|
|
"kill_chain_name": "mitre-mobile-attack",
|
|
"phase_name": "collection"
|
|
}
|
|
],
|
|
"x_mitre_attack_spec_version": "3.2.0",
|
|
"x_mitre_deprecated": false,
|
|
"x_mitre_detection": "",
|
|
"x_mitre_domains": [
|
|
"mobile-attack"
|
|
],
|
|
"x_mitre_is_subtechnique": true,
|
|
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
|
|
"x_mitre_platforms": [
|
|
"Android",
|
|
"iOS"
|
|
],
|
|
"x_mitre_version": "1.1",
|
|
"x_mitre_tactic_type": [
|
|
"Post-Adversary Device Access"
|
|
]
|
|
}
|
|
]
|
|
} |