Skip to content

T1517 Access Notifications

Adversaries may collect data within notifications sent by the operating system or other applications. Notifications may contain sensitive data such as one-time authentication codes sent over SMS, email, or other mediums. In the case of Credential Access, adversaries may attempt to intercept one-time code sent to the device. Adversaries can also dismiss notifications to prevent the user from noticing that the notification has arrived and can trigger action buttons contained within notifications.1

Item Value
ID T1517
Sub-techniques
Tactics TA0035, TA0031
Platforms Android
Version 1.2
Created 15 September 2019
Last Modified 24 October 2025

Procedure Examples

ID Name Description
S1061 AbstractEmu AbstractEmu can monitor notifications.3
S0432 Bread Bread can collect device notifications.8
C0033 C0033 During C0033, PROMETHIUM used StrongPity to collect message notifications from 17 applications.19
S1083 Chameleon Chameleon has registered as an SMSBroadcast receiver to monitor incoming SMS messages.10
S0425 Corona Updates Corona Updates can collect messages from GSM, WhatsApp, Telegram, Facebook, and Threema by reading the application’s notification content.11
S1092 Escobar Escobar can monitor a device’s notifications.14
S1103 FlixOnline FlixOnline requests access to the NotificationListenerService, which can allow it to manipulate a device’s notifications.17
S1067 FluBot FluBot can access app notifications.16
S1077 Hornbill Hornbill has monitored for SMS and WhatsApp notifications.13
S0485 Mandrake Mandrake can capture all device notifications and hide notifications from the user.9
S1062 S.O.V.A. S.O.V.A. can silently intercept and manipulate notifications. S.O.V.A. can also inject cookies via push notifications.12
S1055 SharkBot SharkBot can intercept notifications to send to the C2 server and take advantage of the Direct Reply feature.18
S1195 SpyC23 SpyC23 reads notifications from applications and connected wearables.7654
S0489 WolfRAT WolfRAT can receive system notifications.15

Mitigations

ID Mitigation Description
M1013 Application Developer Guidance Application developers could be encouraged to avoid placing sensitive data in notification text.
M1012 Enterprise Policy On Android devices with a work profile, the DevicePolicyManager.setPermittedCrossProfileNotificationListeners method can be used to manage the list of applications running within the personal profile that can access notifications generated within the work profile. This policy would not affect notifications generated by the rest of the device. The DevicePolicyManager.setApplicationHidden method can be used to disable notification access for unwanted applications, but this method would also block that entire application from running.2
M1011 User Guidance Users should be wary of granting applications dangerous or privacy-intrusive permissions, such as access to notifications.

References

  1. Lukáš Štefanko. (2019, June 17). Malware sidesteps Google permissions policy with new 2FA bypass technique. Retrieved September 15, 2019. 

  2. Android. (n.d.). DevicePolicyManager. Retrieved September 15, 2019. 

  3. P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023. 

  4. Cyware. (2020, October 2). APT‑C‑23 is Still Active and Enhancing its Mobile Spying Capabilities. Retrieved December 2, 2024. 

  5. Delamotte, A. (2023, November 6). Arid Viper | APT’s Nest of SpyC23 Malware Continues to Target Android Devices. Retrieved December 2, 2024. 

  6. Kohli, P. (2021, November 23). Android APT spyware, targeting Middle East victims, enhances evasiveness. Retrieved November 17, 2024. 

  7. Stefanko, L. (2020, September 30). APT‑C‑23 group evolves its Android spyware. Retrieved March 4, 2024. 

  8. Hazum, A., Melnykov, B., Wernik, I.. (2020, July 9). New Joker variant hits Google Play with an old trick. Retrieved July 20, 2020. 

  9. R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020. 

  10. Cyble Research & Intelligence Labs. (2023, April 13). Banking Trojan targeting mobile users in Australia and Poland. Retrieved August 16, 2023. 

  11. T. Bao, J. Lu. (2020, April 14). Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020. 

  12. ThreatFabric. (2021, September 9). S.O.V.A. - A new Android Banking trojan with fowl intentions. Retrieved February 6, 2023. 

  13. Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023. 

  14. B. Toulas. (2022, March 12). Android malware Escobar steals your Google Authenticator MFA codes. Retrieved September 28, 2023. 

  15. W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19). The wolf is back… . Retrieved July 20, 2020. 

  16. Crista Giering, F. Naves, Andrew Conway, Adam McNeil . (2021, April 27). FluBot Android Malware Spreading Rapidly Through Europe, May Hit U.S. Soon. Retrieved February 28, 2023. 

  17. Aviran Hazum, Bodgan Melnykov, Israel Wenik. (2021, April 7). New Wormable Android Malware Spreads by Creating Auto-Replies to Messages in WhatsApp. Retrieved January 26, 2024. 

  18. RIFT: Research and Intelligence Fusion Team. (2022, March 3). SharkBot: a “new” generation Android banking Trojan being distributed on Google Play Store. Retrieved January 18, 2023. 

  19. Stefanko, L. (2023, January 10). StrongPity espionage campaign targeting Android users. Retrieved January 31, 2023.