译者: 林妙倩、戴亦仑 原创翻译作品,如果需要转载请取得翻译作者同意。
数据来源:ATT&CK Matrices
原文: https://attack.mitre.org/techniques/T1516
术语表: /attack/glossary
恶意应用程序可以向用户界面注入输入,以通过滥用Android的可访问性API来模仿用户交互。
可以使用以下任何一种方法来实现输入注入:
GLOBAL_ACTION_BACK
(以编程方式模仿物理后退按钮的按下),以代表用户触发动作。A malicious application can inject input to the user interface to mimic user interaction through the abuse of Android's accessibility APIs.Input Injection(T1516) can be achieved using any of the following methods:
GLOBAL_ACTION_BACK
(programatically mimicking a physical back button press), to trigger actions on behalf of the user.ID编号: T1516
战术类型: 事后访问设备
策略: 绕过防御,影响
平台: Android
名称 | 描述 |
---|---|
Gustuff(S0406) | GLOBAL_ACTION_BACK 如果检测到对打开的防病毒应用程序的调用,则Gustuff会]注入全局操作来模仿按下后退按钮以关闭该应用程序。 |
Riltok(S0403) | Riltok(S0403)注入输入以通过单击屏幕上的适当位置将其自身设置为默认SMS处理程序。它还可以关闭或最小化目标防病毒应用程序和设备安全设置屏幕。 |
Name | Description |
---|---|
Gustuff(S0406) | Gustuff(S0406) injects the global action GLOBAL_ACTION_BACK to mimic pressing the back button to close the application if a call to an open antivirus application is detected. |
Riltok(S0403) | Riltok(S0403) injects input to set itself as the default SMS handler by clicking the appropriate places on the screen. It can also close or minimize targeted antivirus applications and the device security settings screen |
缓解 | 描述 |
---|---|
应用审查(M1005) | 注册可访问性服务的应用程序应进一步检查是否存在恶意行为。 |
企业政策(M1012) | EMM / MDM可以使用Android DevicePolicyManager.setPermittedAccessibilityServices 方法将允许使用Android的辅助功能的应用程序列入白名单。 |
用户指南(M1011) | 应警告用户不要授予对辅助功能的访问权限,并仔细检查请求此危险权限的应用程序。 |
Mitigation | Description |
---|---|
Application Vetting(M1005) | Applications that register an accessibility service should be scrutinized further for malicious behavior. |
Enterprise Policy(M1012) | An EMM/MDM can use the Android DevicePolicyManager.setPermittedAccessibilityServices method to whitelist applications that are allowed to use Android's accessibility features. |
User Guidance(M1011) | Users should be warned against granting access to accessibility features, and to carefully scrutinize applications that request this dangerous permission |
用户可以在设备设置的辅助功能菜单中查看已注册辅助功能服务的应用程序。
Users can view applications that have registered accessibility services in the accessibility menu within the device settings.