input注入
恶意应用程序可以向用户界面注入输入,以通过滥用Android的可访问性API来模仿用户交互。
可以使用以下任何一种方法来实现输入注入:
- 模仿用户在屏幕上的点击,例如从用户的PayPal帐户中窃取资金。
- 注入全局动作,例如
GLOBAL_ACTION_BACK(以编程方式模仿物理后退按钮的按下),以代表用户触发动作。 - 代表用户将输入插入文本字段。合法使用此方法由密码管理器等应用程序自动填充文本字段。
A malicious application can inject input to the user interface to mimic user interaction through the abuse of Android's accessibility APIs.Input Injection(T1516) can be achieved using any of the following methods:
- Mimicking user clicks on the screen, for example to steal money from a user's PayPal account.
- Injecting global actions, such as
GLOBAL_ACTION_BACK(programatically mimicking a physical back button press), to trigger actions on behalf of the user. - Inserting input into text fields on behalf of the user. This method is used legitimately to auto-fill text fields by applications such as password managers.
标签
ID编号: T1516
战术类型: 事后访问设备
策略: 绕过防御,影响
平台: Android
程序示例
| 名称 | 描述 |
|---|---|
| Gustuff(S0406) | GLOBAL_ACTION_BACK如果检测到对打开的防病毒应用程序的调用,则Gustuff会]注入全局操作来模仿按下后退按钮以关闭该应用程序。 |
| Riltok(S0403) | Riltok(S0403)注入输入以通过单击屏幕上的适当位置将其自身设置为默认SMS处理程序。它还可以关闭或最小化目标防病毒应用程序和设备安全设置屏幕。 |
| Name | Description |
|---|---|
| Gustuff(S0406) | Gustuff(S0406) injects the global action GLOBAL_ACTION_BACK to mimic pressing the back button to close the application if a call to an open antivirus application is detected. |
| Riltok(S0403) | Riltok(S0403) injects input to set itself as the default SMS handler by clicking the appropriate places on the screen. It can also close or minimize targeted antivirus applications and the device security settings screen |
缓解措施
| 缓解 | 描述 |
|---|---|
| 应用审查(M1005) | 注册可访问性服务的应用程序应进一步检查是否存在恶意行为。 |
| 企业政策(M1012) | EMM / MDM可以使用Android DevicePolicyManager.setPermittedAccessibilityServices方法将允许使用Android的辅助功能的应用程序列入白名单。 |
| 用户指南(M1011) | 应警告用户不要授予对辅助功能的访问权限,并仔细检查请求此危险权限的应用程序。 |
| Mitigation | Description |
|---|---|
| Application Vetting(M1005) | Applications that register an accessibility service should be scrutinized further for malicious behavior. |
| Enterprise Policy(M1012) | An EMM/MDM can use the Android DevicePolicyManager.setPermittedAccessibilityServices method to whitelist applications that are allowed to use Android's accessibility features. |
| User Guidance(M1011) | Users should be warned against granting access to accessibility features, and to carefully scrutinize applications that request this dangerous permission |
检测
用户可以在设备设置的辅助功能菜单中查看已注册辅助功能服务的应用程序。
Users can view applications that have registered accessibility services in the accessibility menu within the device settings.
- 译者: 林妙倩、戴亦仑 . source:cve.scap.org.cn
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论