Access Notifications

A malicious application can read notifications sent by the operating system or other applications, which may contain sensitive data such as one-time authentication codes sent over SMS, email, or other mediums. A malicious application can also dismiss notifications to prevent the user from noticing that the notifications arrived and can trigger action buttons contained within notifications.[1]

ID: T1517
Sub-techniques:  No sub-techniques
Tactic Type: Post-Adversary Device Access
Tactics: Collection, Credential Access
Platforms: Android
Contributors: Lukáš Štefanko, ESET
Version: 1.0
Created: 15 September 2019
Last Modified: 28 October 2019

Mitigations

Mitigation Description
Application Developer Guidance

Application developers could be encouraged to avoid placing sensitive data in notification text.

Enterprise Policy

On Android devices with a managed work profile (enterprise managed portion of the device), the DevicePolicyManager.setPermittedCrossProfileNotificationListeners method can be used to manage the list of applications (including setting it to an empty list) running within the primary user (personal side of the device) that can see notifications occurring within the managed profile. However, this policy only affects notifications generated within the managed profile, not by the rest of the device. The DevicePolicyManager.setApplicationHidden method can be used to disable unwanted applications that are accessing notifications, but using this method would block that entire application from running.(Citation:Android Notification Listeners)

Detection

The user can inspect (and modify) the list of applications that have notification access through the device settings (e.g. Apps & notification -> Special app access -> Notification access).

References