Input Capture: GUI Input Capture

ID Name
T1417.001 Keylogging
T1417.002 GUI Input Capture

Adversaries may mimic common operating system GUI components to prompt users for sensitive information with a seemingly legitimate prompt. The operating system and installed applications often have legitimate needs to prompt the user for sensitive information such as account credentials, bank account information, or Personally Identifiable Information (PII). Compared to traditional PCs, the constrained display size of mobile devices may impair the ability to provide users with contextual information, making users more susceptible to this technique’s use.[1]

There are several approaches adversaries may use to mimic this functionality. Adversaries may impersonate the identity of a legitimate application (e.g. use the same application name and/or icon) and, when installed on the device, may prompt the user for sensitive information.[2] Adversaries may also send fake device notifications to the user that may trigger the display of an input prompt when clicked.[3]

Additionally, adversaries may display a prompt on top of a running, legitimate application to trick users into entering sensitive information into a malicious application rather than the legitimate application. Typically, adversaries need to know when the targeted application and the individual activity within the targeted application is running in the foreground to display the prompt at the proper time. Adversaries can abuse Android’s accessibility features to determine which application is currently in the foreground.[4] Two known approaches to displaying a prompt include:

  • Adversaries start a new activity on top of a running legitimate application.[1][5] Android 10 places new restrictions on the ability for an application to start a new activity on top of another application, which may make it more difficult for adversaries to utilize this technique.[6]
  • Adversaries create an application overlay window on top of a running legitimate application. Applications must hold the SYSTEM_ALERT_WINDOW permission to create overlay windows. This permission is handled differently than typical Android permissions and, at least under certain conditions, is automatically granted to applications installed from the Google Play Store.[7][8][9] The SYSTEM_ALERT_WINDOW permission and its associated ability to create application overlay windows are expected to be deprecated in a future release of Android in favor of a new API.[10]
ID: T1417.002
Sub-technique of:  T1417
Tactic Type: Post-Adversary Device Access
Platforms: Android, iOS
MTC ID: APP-31
Version: 1.1
Created: 05 April 2022
Last Modified: 20 March 2023

Procedure Examples

ID Name Description
S0422 Anubis

Anubis can create overlays to capture user credentials for targeted applications.[11]

S0480 Cerberus

Cerberus can generate fake notifications and launch overlay attacks against attacker-specified applications.[12]

S1083 Chameleon

Chameleon can perform overlay attacks against a device by injecting HTML phishing pages into a webview.[13]

S0301 Dendroid

Dendroid can open a dialog box to ask the user for passwords.[14]

S1054 Drinik

Drinik can use overlays to steal user banking credentials entered into legitimate sites.[15]

S1092 Escobar

Escobar can collect credentials using phishing overlays.[16]

S0478 EventBot

EventBot can display popups over running applications.[17]

S0522 Exobot

Exobot can show phishing popups when a targeted application is running.[18]

S1067 FluBot

FluBot can add display overlays onto banking apps to capture credit card information.[19]

S1093 FlyTrap

FlyTrap has used infected applications with Facebook login prompts to steal credentials.[20]

S0423 Ginp

Ginp can use a multi-step phishing overlay to capture banking credentials and then credit card numbers after login.[21]

S0536 GPlayed

GPlayed can show a phishing WebView pretending to be a Google service that collects credit card information.[22]

S0406 Gustuff

Gustuff uses WebView overlays to prompt the user for their device unlock code, as well as banking and cryptocurrency application credentials. Gustuff can also send push notifications pretending to be from a bank, triggering a phishing overlay.[23][3]

S0485 Mandrake

Mandrake can manipulate visual components to trick the user into granting dangerous permissions, and can use phishing overlays and JavaScript injection to capture credentials.[24]

S0317 Marcher

Marcher attempts to overlay itself on top of legitimate banking apps in an effort to capture user credentials. Marcher also attempts to overlay itself on top of legitimate apps such as the Google Play Store in an effort to capture user credit card information.[25]

S0399 Pallas

Pallas uses phishing popups to harvest user credentials.[26]

S0539 Red Alert 2.0

Red Alert 2.0 has used malicious overlays to collect banking credentials.[27]

S0403 Riltok

Riltok can open a fake Google Play screen requesting bank card credentials and mimic the screen of relevant mobile banking apps to request user/bank card details.[28]

S0411 Rotexy

Rotexy can use phishing overlays to capture users' credit card information.[29]

S1062 S.O.V.A.

S.O.V.A. can use overlays capture banking credentials and credit card information, and can open arbitrary WebViews from the C2.[30]

S1055 SharkBot

SharkBot can use a WebView with a fake log in site to capture banking credentials.[31]

S1069 TangleBot

TangleBot can use overlays to cover legitimate applications or screens.[32]

S0545 TERRACOTTA

TERRACOTTA has displayed a form to collect user data after installation.[33]

S1056 TianySpy

TianySpy can utilize WebViews to display fake authentication pages that capture user credentials.[34]

S0558 Tiktok Pro

Tiktok Pro can launch a fake Facebook login page.[35]

S0298 Xbot

Xbot uses phishing pages mimicking Google Play's payment interface as well as bank login pages.[36]

S0297 XcodeGhost

XcodeGhost can prompt a fake alert dialog to phish user credentials.[37]

Mitigations

ID Mitigation Description
M1012 Enterprise Policy

An EMM/MDM can use the Android DevicePolicyManager.setPermittedAccessibilityServices method to set an explicit list of applications that are allowed to use Android's accessibility features.

M1006 Use Recent OS Version

The HIDE_OVERLAY_WINDOWS permission was introduced in Android 12 allowing apps to hide overlay windows of type TYPE_APPLICATION_OVERLAY drawn by other apps with the SYSTEM_ALERT_WINDOW permission, preventing other applications from creating overlay windows on top of the current application.[38]

Detection

ID Data Source Data Component Detects
DS0041 Application Vetting Permissions Requests

Application vetting services can look for applications requesting the android.permission.SYSTEM_ALERT_WINDOW permission in the list of permissions in the app manifest.

DS0042 User Interface System Settings

An Android user can view and manage which applications hold the SYSTEM_ALERT_WINDOW permission through the device settings in Apps & notifications -> Special app access -> Display over other apps (the exact menu location may vary between Android versions).

References

  1. A.P. Felt and D. Wagner. (2011, May 26). Phishing on Mobile Devices. Retrieved August 25, 2016.
  2. Lukáš Štefanko. (2016, July 7). Fake finance apps on Google Play target users from around the world. Retrieved September 24, 2018.
  3. Group-IB. (2019, March 28). Group-IB uncovers Android Trojan named «Gustuff» capable of targeting more than 100 global banking apps, cryptocurrency and marketplace applications. Retrieved September 3, 2019.
  4. ThreatFabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved September 18, 2019.
  5. R. Hassell. (2011, October 12-13). Exploiting Androids for Fun and Profit. Retrieved October 10, 2019.
  6. Android Developers. (n.d.). Restrictions on starting activities from the background. Retrieved September 18, 2019.
  7. Fratantonio, Y., et al.. (2017). Cloak & Dagger. Retrieved September 18, 2019.
  8. Ramirez, T.. (2017, May 25). ‘SAW’-ing through the UI: Android overlay malware and the System Alert Window permission explained. Retrieved September 18, 2019.
  9. Yair Amit. (2016, March 3). “Accessibility Clickjacking” – The Next Evolution in Android Malware that Impacts More Than 500 Million Devices. Retrieved December 21, 2016.
  10. Rahman, M.. (2019, May 8). Bubbles in Android Q will fully replace the overlay API in a future Android version. Retrieved September 18, 2019.
  11. M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved April 8, 2020.
  12. Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020.
  13. Cyble Research & Intelligence Labs. (2023, April 13). Banking Trojan targeting mobile users in Australia and Poland. Retrieved August 16, 2023.
  14. Marc Rogers. (2014, March 6). Dendroid malware can take over your camera, record audio, and sneak into Google Play. Retrieved December 22, 2016.
  15. Cyble. (2022, October 27). Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers. Retrieved January 18, 2023.
  16. B. Toulas. (2022, March 12). Android malware Escobar steals your Google Authenticator MFA codes. Retrieved September 28, 2023.
  17. D. Frank, L. Rochberger, Y. Rimmer, A. Dahan. (2020, April 30). EventBot: A New Mobile Banking Trojan is Born. Retrieved June 26, 2020.
  18. Threat Fabric. (2017, February). Exobot - Android banking Trojan on the rise. Retrieved October 29, 2020.
  19. Crista Giering, F. Naves, Andrew Conway, Adam McNeil . (2021, April 27). FluBot Android Malware Spreading Rapidly Through Europe, May Hit U.S. Soon. Retrieved February 28, 2023.
  1. Trend Micro. (2021, August 17). FlyTrap Android Malware Is Taking Over Facebook Accounts — Protect Yourself With a Malware Scanner. Retrieved September 28, 2023.
  2. ThreatFabric. (2019, November). Ginp - A malware patchwork borrowing from Anubis. Retrieved April 8, 2020.
  3. V. Ventura. (2018, October 11). GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020.
  4. Vitor Ventura. (2019, April 9). Gustuff banking botnet targets Australia . Retrieved September 3, 2019.
  5. R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020.
  6. Proofpoint. (2017, November 3). Credential phishing and an Android banking Trojan combine in Austrian mobile attacks. Retrieved July 6, 2018.
  7. Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.
  8. J. Chandraiah. (2018, July 23). Red Alert 2.0: Android Trojan targets security-seekers. Retrieved December 14, 2020.
  9. Tatyana Shishkova. (2019, June 25). Riltok mobile Trojan: A banker with global reach. Retrieved August 7, 2019.
  10. T. Shishkova, L. Pikman. (2018, November 22). The Rotexy mobile Trojan – banker and ransomware. Retrieved September 23, 2019.
  11. ThreatFabric. (2021, September 9). S.O.V.A. - A new Android Banking trojan with fowl intentions. Retrieved February 6, 2023.
  12. RIFT: Research and Intelligence Fusion Team. (2022, March 3). SharkBot: a “new” generation Android banking Trojan being distributed on Google Play Store. Retrieved January 18, 2023.
  13. Felipe Naves, Andrew Conway, W. Stuart Jones, Adam McNeil . (2021, September 23). TangleBot: New Advanced SMS Malware Targets Mobile Users Across U.S. and Canada with COVID-19 Lures. Retrieved February 28, 2023.
  14. Satori Threat Intelligence and Research Team. (2020, August). TERRACOTTA Android Malware: A Technical Study. Retrieved December 18, 2020.
  15. Trend Micro. (2022, January 25). TianySpy Malware Uses Smishing Disguised as Message From Telco. Retrieved January 11, 2023.
  16. S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021.
  17. Cong Zheng, Claud Xiao and Zhi Xu. (2016, February 18). New Android Trojan “Xbot” Phishes Credit Cards and Bank Accounts, Encrypts Devices for Ransom. Retrieved December 21, 2016.
  18. Claud Xiao. (2015, September 18). Update: XcodeGhost Attacker Can Phish Passwords and Open URLs through Infected Apps. Retrieved December 21, 2016.
  19. Google. (2022, April 4). Features and APIs Overview. Retrieved April 5, 2022.