Skip to content

T1517 Access Notifications

A malicious application can read notifications sent by the operating system or other applications, which may contain sensitive data such as one-time authentication codes sent over SMS, email, or other mediums. A malicious application can also dismiss notifications to prevent the user from noticing that the notifications arrived and can trigger action buttons contained within notifications.1

Item Value
ID T1517
Sub-techniques
Tactics TA0035, TA0031
Platforms Android
Version 1.0
Created 15 September 2019
Last Modified 09 July 2020

Procedure Examples

ID Name Description
S0432 Bread Bread can collect device notifications.6
S0425 Corona Updates Corona Updates can collect messages from GSM, WhatsApp, Telegram, Facebook, and Threema by reading the application’s notification content.3
S0485 Mandrake Mandrake can capture all device notifications and hide notifications from the user.4
S0489 WolfRAT WolfRAT can receive system notifications.5

Mitigations

ID Mitigation Description
M1013 Application Developer Guidance Application developers could be encouraged to avoid placing sensitive data in notification text.
M1012 Enterprise Policy On Android devices with a managed work profile (enterprise managed portion of the device), the DevicePolicyManager.setPermittedCrossProfileNotificationListeners method can be used to manage the list of applications (including setting it to an empty list) running within the primary user (personal side of the device) that can see notifications occurring within the managed profile. However, this policy only affects notifications generated within the managed profile, not by the rest of the device. The DevicePolicyManager.setApplicationHidden method can be used to disable unwanted applications that are accessing notifications, but using this method would block that entire application from running.2

References

  1. Lukáš Štefanko. (2019, June 17). Malware sidesteps Google permissions policy with new 2FA bypass technique. Retrieved September 15, 2019. 

  2. Android. (n.d.). DevicePolicyManager. Retrieved September 15, 2019. 

  3. T. Bao, J. Lu. (2020, April 14). Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020. 

  4. R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020. 

  5. W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19). The wolf is back… . Retrieved July 20, 2020. 

  6. Hazum, A., Melnykov, B., Wernik, I.. (2020, July 9). New Joker variant hits Google Play with an old trick. Retrieved July 20, 2020. 

Back to top