|T1453||Abuse Accessibility Features|
A malicious app could abuse Android's accessibility features to capture sensitive data or perform other malicious actions.
|T1413||Access Sensitive Data in Device Logs|
On versions of Android prior to 4.1, an adversary may use a malicious application that holds the READ_LOGS permission to obtain private keys, passwords, other credentials, or other sensitive data stored in the device's system log. On Android 4.1 and later, an adversary would need to attempt to perform an operating system privilege escalation attack to be able to access the log.
|T1409||Access Sensitive Data or Credentials in Files|
An adversary could attempt to read files that contain sensitive data or credentials (e.g., private keys, passwords, access tokens). This technique requires either escalated privileges or for the targeted app to have stored the data in an insecure manner (e.g., with insecure file permissions or in an insecure location such as an external storage directory).
|T1416||Android Intent Hijacking|
A malicious app can register to receive intents meant for other applications and may then be able to receive sensitive values such as OAuth authorization codes.
|T1414||Capture Clipboard Data|
A malicious app or other attack vector could capture sensitive data stored in the device clipboard, for example passwords being copy-and-pasted from a password manager app.
|T1412||Capture SMS Messages|
A malicious application could capture sensitive data sent via SMS, including authentication credentials. SMS is frequently used to transmit codes used for multi-factor authentication.
|T1405||Exploit TEE Vulnerability|
A malicious app or other attack vector could be used to exploit vulnerabilities in code running within the Trusted Execution Environment (TEE) . The adversary could then obtain privileges held by the TEE potentially including the ability to access cryptographic keys or other sensitive data . Escalated operating system privileges may be first required in order to have the ability to attack the TEE . If not, privileges within the TEE can potentially be used to exploit the operating system .
|T1417||Malicious Third Party Keyboard App|
A malicious app can register as a device keyboard and intercept keypresses containing sensitive values such as usernames and passwords.
|T1410||Network Traffic Capture or Redirection|
An adversary may capture network traffic to and from the device to obtain credentials or other sensitive data, or redirect network traffic to flow through an adversary-controlled gateway to do the same.
|T1415||URL Scheme Hijacking|
An iOS application may be able to maliciously claim a URL scheme, allowing it to intercept calls that are meant for a different application. This technique, for example, could be used to capture OAuth authorization codes or to phish user credentials.
|T1411||User Interface Spoofing|
User Interface Spoofing can be used to trick users into providing sensitive information, such as account credentials, bank account information, or Personally Identifiable Information (PII) to an unintended entity.