User Interface

Visual activity on the device that could alert the user to potentially malicious behavior.

ID: DS0042
Platforms: Android, iOS
Collection Layer: Device
Version: 1.0
Created: 13 March 2023
Last Modified: 13 March 2023

Data Components

User Interface: Permissions Request

System prompts triggered when an application requests new or additional permissions

User Interface: Permissions Request

System prompts triggered when an application requests new or additional permissions

Domain ID Name Detects
Mobile T1626 Abuse Elevation Control Mechanism

When an application requests administrator permission, the user is presented with a popup and the option to grant or deny the request.

.001 Device Administrator Permissions

The user is prompted for approval when an application requests device administrator permissions.

Mobile T1638 Adversary-in-the-Middle

On both Android and iOS, the user must grant consent to an application to act as a VPN. Both platforms also provide visual context to the user in the top status bar when a VPN connection is active. The user can see registered VPN services in the device settings.

Mobile T1662 Data Destruction

The user is prompted for approval when an application requests device administrator permissions.

Mobile T1420 File and Directory Discovery

On Android, the user is presented with a permissions popup when an application requests access to external device storage.

Mobile T1663 Remote Access Software

Remote access software typically requires many privileged permissions, such as accessibility services or device administrator.

User Interface: System Notifications

Notifications generated by the OS

User Interface: System Notifications

Notifications generated by the OS

Domain ID Name Detects
Mobile T1616 Call Control

The user can review available call logs for irregularities, such as missing or unrecognized calls.

Mobile T1627 .001 Execution Guardrails: Geofencing

On Android 10 and later, the system shows a notification to the user when an app has been accessing device location in the background.

Mobile T1541 Foreground Persistence

The user can see persistent notifications in their notification drawer and can subsequently uninstall applications that do not belong.

Mobile T1430 .001 Location Tracking: Remote Device Management Services

Google sends a notification to the device when Android Device Manager is used to locate it. Additionally, Google provides the ability for users to view their general account activity and alerts users when their credentials have been used on a new device. Apple iCloud also provides notifications to users of account activity such as when credentials have been used.

Mobile T1655 Masquerading

Unexpected behavior from an application could be an indicator of masquerading.

.001 Match Legitimate Name or Location

Unexpected behavior from an application could be an indicator of masquerading.

Mobile T1464 Network Denial of Service
Mobile T1644 Out of Band Data

If the user sees a notification with text they do not recognize, they should review their list of installed applications.

Mobile T1635 Steal Application Access Token

On Android, users may be presented with a popup to select the appropriate application to open a URI in. If the user sees an application they do not recognize, they can remove it.

.001 URI Hijacking

On Android, users may be presented with a popup to select the appropriate application to open the URI in. If the user sees an application they do not recognize, they can remove it.

User Interface: System Settings

Settings visible to the user on the device

User Interface: System Settings

Settings visible to the user on the device

Domain ID Name Detects
Mobile T1626 .001 Abuse Elevation Control Mechanism: Device Administrator Permissions

The user can see which applications are registered as device administrators in the device settings.

Mobile T1517 Access Notifications

The user can also inspect and modify the list of applications that have notification access through the device settings (e.g. Apps & notification -> Special app access -> Notification access).

Mobile T1429 Audio Capture

In iOS 14 and up, an orange dot (or orange square if the Differentiate Without Color setting is enabled) appears in the status bar when the microphone is being used by an application. However, there have been demonstrations indicating it may still be possible to access the microphone in the background without triggering this visual indicator by abusing features that natively access the microphone or camera but do not trigger the visual indicators.[1]

In Android 12 and up, a green dot appears in the status bar when the microphone is being used by an application.[2]

Mobile T1616 Call Control

The user can view their default phone app in device settings.

Mobile T1662 Data Destruction

The user may view applications with administrator access through the device settings and may also notice if user data is inexplicably missing.

Mobile T1642 Endpoint Denial of Service

On Android, the user can review which applications have Device Administrator access in the device settings and revoke permission where appropriate.

Mobile T1627 Execution Guardrails

The user can review which applications have location and sensitive phone information permissions in the operating system’s settings menu.

.001 Geofencing

The user can review which applications have location permissions in the operating system’s settings menu.

Mobile T1643 Generate Traffic from Victim

On Android, the user can review which applications can use premium SMS features in the "Special access" page within application settings.

Mobile T1628 Hide Artifacts

The user can examine the list of all installed applications in the device settings.

.001 Suppress Application Icon

The user can examine the list of all installed applications, including those with a suppressed icon, in the device settings. If the user is redirected to the device settings when tapping an application’s icon, they should inspect the application to ensure it is genuine.

Mobile T1629 .001 Impair Defenses: Prevent Application Removal

The user can view a list of device administrators and applications that have registered accessibility services in device settings. The user can typically visually see when an action happens that they did not initiate and can subsequently review installed applications for any out of place or unknown ones. Applications that register an accessibility service or request device administrator permissions should be scrutinized further for malicious behavior.

.002 Impair Defenses: Device Lockout

The user can view a list of device administrators in device settings and revoke permission where appropriate. Applications that request device administrator permissions should be scrutinized further for malicious behavior.

.003 Impair Defenses: Disable or Modify Tools

The user can view a list of active device administrators in the device settings.

Mobile T1630 Indicator Removal on Host

The user can view applications with administrator access through the device settings, and may also notice if user data is inexplicably missing. The user can see a list of applications that can use accessibility services in the device settings.

.001 Uninstall Malicious Application

The user can see a list of applications that can use accessibility services in the device settings.

.002 File Deletion

The user can view applications with administrator access through the device settings, and may also notice if user data is inexplicably missing.

Mobile T1417 Input Capture

The user can view and manage installed third-party keyboards.

.001 Keylogging

On Android, the user can view and manage which applications have third-party keyboard access through the device settings in System -> Languages & input -> Virtual keyboard. On iOS, the user can view and manage which applications have third-party keyboard access through the device settings in General -> Keyboard.

.002 GUI Input Capture

An Android user can view and manage which applications hold the SYSTEM_ALERT_WINDOW permission through the device settings in Apps & notifications -> Special app access -> Display over other apps (the exact menu location may vary between Android versions).

Mobile T1516 Input Injection

The user can view applications that have registered accessibility services in the accessibility menu within the device settings.

Mobile T1430 Location Tracking

In both Android (6.0 and up) and iOS, the user can view which applications have the permission to access the device location through the device settings screen and revoke permissions as necessary.

Mobile T1636 Protected User Data

The user can view permissions granted to an application in device settings.

.001 Calendar Entries

On both Android and iOS, the user can manage which applications have permission to access calendar information through the device settings screen, revoke the permission if necessary.

.002 Call Log

On Android, the user can manage which applications have permission to access the call log through the device settings screen, revoking the permission if necessary.

.003 Contact List

On both Android and iOS, the user can manage which applications have permission to access the contact list through the device settings screen, revoking the permission if necessary.

.004 SMS Messages

On Android, the user can manage which applications have permission to access SMS messages through the device settings screen, revoking the permission if necessary.

Mobile T1513 Screen Capture

The user can view a list of apps with accessibility service privileges in the device settings.

Mobile T1582 SMS Control

The user can view the default SMS handler in system settings.

Mobile T1632 Subvert Trust Controls

On Android, the user can use the device settings menu to view trusted CA certificates and look for unexpected or unknown certificates. A mobile security product could similarly examine the trusted CA certificate store for anomalies. Users can use the device settings menu to view which applications on the device are allowed to install unknown applications.

On iOS, the user can use the device settings menu to view installed Configuration Profiles and look for unexpected or unknown profiles. A Mobile Device Management (MDM) system could use the iOS MDM APIs to examine the list of installed Configuration Profiles for anomalies.

.001 Code Signing Policy Modification

On Android, the user can use the device settings menu to view trusted CA certificates and look for unexpected or unknown certificates. A mobile security product could similarly examine the trusted CA certificate store for anomalies. Users can use the device settings menu to view which applications on the device are allowed to install unknown applications.

On iOS, the user can use the device settings menu to view installed Configuration Profiles and look for unexpected or unknown profiles. A Mobile Device Management (MDM) system could use the iOS MDM APIs to examine the list of installed Configuration Profiles for anomalies.

Mobile T1512 Video Capture

The user can view which applications have permission to use the camera through the device settings screen, where the user can then choose to revoke the permissions.

References