Input Injection

A malicious application can inject input to the user interface to mimic user interaction through the abuse of Android's accessibility APIs.

Input Injection can be achieved using any of the following methods:

  • Mimicking user clicks on the screen, for example to steal money from a user's PayPal account.[1]
  • Injecting global actions, such as GLOBAL_ACTION_BACK (programatically mimicking a physical back button press), to trigger actions on behalf of the user.[2]
  • Inserting input into text fields on behalf of the user. This method is used legitimately to auto-fill text fields by applications such as password managers.[3]
ID: T1516
Sub-techniques:  No sub-techniques
Tactic Type: Post-Adversary Device Access
Tactics: Defense Evasion, Impact
Platforms: Android
Contributors: Lukáš Štefanko, ESET
Version: 1.1
Created: 15 September 2019
Last Modified: 24 June 2020

Procedure Examples

Name Description

Cerberus can inject input to grant itself additional permissions without user interaction and to prevent application removal.[4][5]


DEFENSOR ID can abuse the accessibility service to perform actions on behalf of the user, including launching attacker-specified applications to steal data.[6]


Ginp can inject input to make itself the default SMS handler.[7]


Gustuff injects the global action GLOBAL_ACTION_BACK to mimic pressing the back button to close the application if a call to an open antivirus application is detected.[2]


Mandrake abuses the accessibility service to prevent removing administrator permissions, accessibility permissions, and to set itself as the default SMS handler.[8]


Riltok injects input to set itself as the default SMS handler by clicking the appropriate places on the screen. It can also close or minimize targeted antivirus applications and the device security settings screen.[9]


TrickMo can inject input to set itself as the default SMS handler, and to automatically click through pop-ups without giving the user any time to react.[10]


Zen can simulate user clicks on ads and system prompts to create new Google accounts.[11]


Mitigation Description
Application Vetting

Applications that register an accessibility service should be scrutinized further for malicious behavior.

Enterprise Policy

An EMM/MDM can use the Android DevicePolicyManager.setPermittedAccessibilityServices method to set an explicit list of applications that are allowed to use Android's accessibility features.

User Guidance

Users should be warned against granting access to accessibility features, and to carefully scrutinize applications that request this dangerous permission.


Users can view applications that have registered accessibility services in the accessibility menu within the device settings.