Skip to content

T1517 Access Notifications

A malicious application can read notifications sent by the operating system or other applications, which may contain sensitive data such as one-time authentication codes sent over SMS, email, or other mediums. A malicious application can also dismiss notifications to prevent the user from noticing that the notifications arrived and can trigger action buttons contained within notifications.1

Item Value
ID T1517
Tactics TA0035, TA0031
Platforms Android
Version 1.0
Created 15 September 2019
Last Modified 09 July 2020

Procedure Examples

ID Name Description
S0432 Bread Bread can collect device notifications.6
S0425 Corona Updates Corona Updates can collect messages from GSM, WhatsApp, Telegram, Facebook, and Threema by reading the application’s notification content.3
S0485 Mandrake Mandrake can capture all device notifications and hide notifications from the user.4
S0489 WolfRAT WolfRAT can receive system notifications.5


ID Mitigation Description
M1013 Application Developer Guidance Application developers could be encouraged to avoid placing sensitive data in notification text.
M1012 Enterprise Policy On Android devices with a managed work profile (enterprise managed portion of the device), the DevicePolicyManager.setPermittedCrossProfileNotificationListeners method can be used to manage the list of applications (including setting it to an empty list) running within the primary user (personal side of the device) that can see notifications occurring within the managed profile. However, this policy only affects notifications generated within the managed profile, not by the rest of the device. The DevicePolicyManager.setApplicationHidden method can be used to disable unwanted applications that are accessing notifications, but using this method would block that entire application from running.2


Back to top