Input Prompt

The operating system and installed applications often have legitimate needs to prompt the user for sensitive information such as account credentials, bank account information, or Personally Identifiable Information (PII). Adversaries may mimic this functionality to prompt users for sensitive information.

Compared to traditional PCs, the constrained display size of mobile devices may impair the ability to provide users with contextual information, making users more susceptible to this technique’s use.[1]

Specific approaches to this technique include:

Impersonate the identity of a legitimate application

A malicious application could impersonate the identity of a legitimate application (e.g. use the same application name and/or icon) and get installed on the device. The malicious app could then prompt the user for sensitive information.[2]

Display a prompt on top of a running legitimate application

A malicious application could display a prompt on top of a running legitimate application to trick users into entering sensitive information into the malicious application rather than the legitimate application. Typically, the malicious application would need to know when the targeted application (and individual activity within the targeted application) is running in the foreground, so that the malicious application knows when to display its prompt. Android 5.0 and 5.1.1, respectively, increased the difficulty of determining the current foreground application through modifications to the ActivityManager API.[3][4]. A malicious application can still abuse Android’s accessibility features to determine which application is currently in the foreground.[5] Approaches to display a prompt include:

  • A malicious application could start a new activity on top of a running legitimate application.[1][6] Android 10 places new restrictions on the ability for an application to start a new activity on top of another application, which may make it more difficult for adversaries to utilize this technique.[7]
  • A malicious application could create an application overlay window on top of a running legitimate application. Applications must hold the SYSTEM_ALERT_WINDOW permission to create overlay windows. This permission is handled differently than typical Android permissions, and at least under certain conditions is automatically granted to applications installed from the Google Play Store.[8][9][10] The SYSTEM_ALERT_WINDOW permission and its associated ability to create application overlay windows are expected to be deprecated in a future release of Android in favor of a new API.[11]

Fake device notifications

A malicious application could send fake device notifications to the user. Clicking on the device notification could trigger the malicious application to display an input prompt.[12]

ID: T1411
Sub-techniques:  No sub-techniques
Tactic Type: Post-Adversary Device Access
Tactic: Credential Access
Platforms: Android, iOS
MTC ID: APP-31
Version: 2.0
Created: 25 October 2017
Last Modified: 28 October 2019

Procedure Examples

Name Description
Gustuff

Gustuff uses WebView overlays to prompt the user for their device unlock code, as well as banking and cryptocurrency application credentials. Gustuff can also send push notifications pretending to be from a bank, triggering a phishing overlay. [18][12]

Marcher

Marcher attempts to overlay itself on top of legitimate banking apps in an effort to capture user credentials. Marcher also attempts to overlay itself on top of legitimate apps such as the Google Play Store in an effort to capture user credit card information.[14]

Pallas

Pallas uses phishing popups to harvest user credentials.[16]

Riltok

Riltok can open a fake Google Play screen requesting bank card credentials and mimic the screen of relevant mobile banking apps to request user/bank card details.[17]

Rotexy

Rotexy can use phishing overlays to capture users' credit card information.[19]

Xbot

Xbot uses phishing pages mimicking Google Play's payment interface as well as bank login pages.[13]

XcodeGhost

XcodeGhost can prompt a fake alert dialog to phish user credentials.[15]

Mitigations

Mitigation Description
Application Vetting
Enterprise Policy

An EMM/MDM can use the Android DevicePolicyManager.setPermittedAccessibilityServices method to whitelist applications that are allowed to use Android's accessibility features.

Use Recent OS Version

Detection

The user can view and manage which applications hold the SYSTEM_ALERT_WINDOW permission to create overlay windows on top of other apps through the device settings in Apps & notifications -> Special app access -> Display over other apps (the exact menu location may vary between Android versions).

References