1. Home
  2. Techniques
  3. Mobile
  4. Access Notifications

Access Notifications

A malicious application can read notifications sent by the operating system or other applications, which may contain sensitive data such as one-time authentication codes sent over SMS, email, or other mediums. A malicious application can also dismiss notifications to prevent the user from noticing that the notifications arrived and can trigger action buttons contained within notifications.[1]

ID: T1517
Sub-techniques:  No sub-techniques
Tactic Type: Post-Adversary Device Access
Platforms: Android
Contributors: Lukáš Štefanko, ESET
Version: 1.0
Created: 15 September 2019
Last Modified: 09 July 2020
Provided by LAYER 8

Procedure Examples

ID Name Description
S0432 Bread

Bread can collect device notifications.[2]
S0425 Corona Updates

Corona Updates can collect messages from GSM, WhatsApp, Telegram, Facebook, and Threema by reading the application’s notification content.[3]
S0485 Mandrake

Mandrake can capture all device notifications and hide notifications from the user.[4]
S0489 WolfRAT

WolfRAT can receive system notifications.[5]

Mitigations

ID Mitigation Description
M1013 Application Developer Guidance

Application developers could be encouraged to avoid placing sensitive data in notification text.
M1012 Enterprise Policy

On Android devices with a managed work profile (enterprise managed portion of the device), the DevicePolicyManager.setPermittedCrossProfileNotificationListeners method can be used to manage the list of applications (including setting it to an empty list) running within the primary user (personal side of the device) that can see notifications occurring within the managed profile. However, this policy only affects notifications generated within the managed profile, not by the rest of the device. The DevicePolicyManager.setApplicationHidden method can be used to disable unwanted applications that are accessing notifications, but using this method would block that entire application from running.[6]

Detection

The user can inspect (and modify) the list of applications that have notification access through the device settings (e.g. Apps & notification -> Special app access -> Notification access).

References

  1. Lukáš Štefanko. (2019, June 17). Malware sidesteps Google permissions policy with new 2FA bypass technique. Retrieved September 15, 2019.
  2. Hazum, A., Melnykov, B., Wernik, I.. (2020, July 9). New Joker variant hits Google Play with an old trick. Retrieved July 20, 2020.
  3. T. Bao, J. Lu. (2020, April 14). Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020.
  1. R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020.
  2. W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19). The wolf is back... . Retrieved July 20, 2020.
  3. Android. (n.d.). DevicePolicyManager. Retrieved September 15, 2019.