User Interface Spoofing

User Interface Spoofing can be used to trick users into providing sensitive information, such as account credentials, bank account information, or Personally Identifiable Information (PII) to an unintended entity.

Impersonate User Interface of Legitimate App or Device Function

On both Android and iOS, an adversary could impersonate the user interface of a legitimate app or device function to trick a user into entering sensitive information. The constrained display size of mobile devices (compared to traditional PC displays) may impair the ability to provide the user with contextual information (for example, displaying a full web site address) that may alert the user to a potential issue. [1] As described by PRE-ATT&CK (Spearphishing for Information), it is also possible for an adversary to carry out this form of the technique without a direct adversary presence on the mobile devices, e.g. through a spoofed web page.

Impersonate Identity of Legitimate App

On both Android and iOS, a malicious app could impersonate the identity of another app (e.g. use the same app name and/or icon) and somehow get installed on the device (e.g. using Deliver Malicious App via Authorized App Store or Deliver Malicious App via Other Means). The malicious app could then prompt the user for sensitive information. [2]

Abuse OS Features to Interfere with Legitimate App

On older versions of Android, a malicious app could abuse mobile operating system features to interfere with a running legitimate app. [1] [3] However, this technique appears to have been addressed starting in Android 5.0 with the deprecation of the Android's ActivityManager.getRunningTasks method and modification of its behavior [4] and further addressed in Android 5.1.1 [5] to prevent a malicious app from determining what app is currently in the foreground.

ID: T1411

Tactic Type:  Post-Adversary Device Access

Tactic: Credential Access

Platform:  Android, iOS


Version: 1.1


Application Vetting
Use Recent OS Version


Android Overlay Malware

Android Overlay Malware used view overlay techniques to present credential input UIs to trick users into providing their banking credentials.[6]


Marcher attempts to overlay itself on top of legitimate banking apps in an effort to capture user credentials. Marcher also attempts to overlay itself on top of legitimate apps such as the Google Play Store in an effort to capture user credit card information.[7]


Xbot uses phishing pages mimicking Google Play's payment interface as well as bank login pages.[8]


XcodeGhost can prompt a fake alert dialog to phish user credentials.[9]