Adversaries may mimic common operating system GUI components to prompt users for sensitive information with a seemingly legitimate prompt. The operating system and installed applications often have legitimate needs to prompt the user for sensitive information such as account credentials, bank account information, or Personally Identifiable Information (PII). Compared to traditional PCs, the constrained display size of mobile devices may impair the ability to provide users with contextual information, making users more susceptible to this technique’s use.
There are several approaches adversaries may use to mimic this functionality. Adversaries may impersonate the identity of a legitimate application (e.g. use the same application name and/or icon) and, when installed on the device, may prompt the user for sensitive information. Adversaries may also send fake device notifications to the user that may trigger the display of an input prompt when clicked.
Additionally, adversaries may display a prompt on top of a running, legitimate application to trick users into entering sensitive information into a malicious application rather than the legitimate application. Typically, adversaries need to know when the targeted application and the individual activity within the targeted application is running in the foreground to display the prompt at the proper time. Adversaries can abuse Android’s accessibility features to determine which application is currently in the foreground. Two known approaches to displaying a prompt include:
SYSTEM_ALERT_WINDOWpermission to create overlay windows. This permission is handled differently than typical Android permissions and, at least under certain conditions, is automatically granted to applications installed from the Google Play Store. The
SYSTEM_ALERT_WINDOWpermission and its associated ability to create application overlay windows are expected to be deprecated in a future release of Android in favor of a new API.
Gustuff uses WebView overlays to prompt the user for their device unlock code, as well as banking and cryptocurrency application credentials. Gustuff can also send push notifications pretending to be from a bank, triggering a phishing overlay.
Marcher attempts to overlay itself on top of legitimate banking apps in an effort to capture user credentials. Marcher also attempts to overlay itself on top of legitimate apps such as the Google Play Store in an effort to capture user credit card information.
|S0539||Red Alert 2.0|
An EMM/MDM can use the Android
|M1006||Use Recent OS Version||
Android users can view and manage which applications hold the
SYSTEM_ALERT_WINDOW permission through the device settings in Apps & notifications -> Special app access -> Display over other apps (the exact menu location may vary between Android versions).
Application vetting services can look for applications requesting the
android.permission.SYSTEM_ALERT_WINDOW permission in the list of permissions in the app manifest.