1. Home
  2. Techniques
  3. Mobile
  4. Access Sensitive Data in Device Logs

Access Sensitive Data in Device Logs

On versions of Android prior to 4.1, an adversary may use a malicious application that holds the READ_LOGS permission to obtain private keys, passwords, other credentials, or other sensitive data stored in the device's system log. On Android 4.1 and later, an adversary would need to attempt to perform an operating system privilege escalation attack to be able to access the log.

ID: T1413
Sub-techniques:  No sub-techniques
Tactic Type: Post-Adversary Device Access
Platforms: Android
MTC ID: APP-3, APP-13
Version: 1.0
Created: 25 October 2017
Last Modified: 17 October 2018
Provided by LAYER 8

Procedure Examples

ID Name Description
S0423 Ginp

Ginp can download device log data.[1]
S0544 HenBox

HenBox can monitor system logs.[2]

Mitigations

ID Mitigation Description
M1013 Application Developer Guidance

Application developers should be discouraged from writing sensitive data to the system log in production apps.
M1005 Application Vetting
M1001 Security Updates
M1006 Use Recent OS Version

Starting in Android 4.1, this technique requires privilege escalation for malicious applications to perform, as apps can no longer access the system log (other than log entries added by a particular app itself). (Additionally, with physical access to the device, the system log could be accessed via USB through the Android Debug Bridge.)[3]

References

  1. ThreatFabric. (2019, November). Ginp - A malware patchwork borrowing from Anubis. Retrieved April 8, 2020.
  2. A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019.
  1. Dianne Hackborn. (2012, July 12). Re: READ_LOGS permission is not granted to 3rd party applications in Jelly Bean (api 16). Retrieved December 21, 2016.