ATT&CK-CN V1.01 Last Update: 2019-11 [返回索引页]

译者: 林妙倩(清华大学网络研究院网络空间安全实习生)、戴亦仑(赛宁网安) 原创翻译作品,如果需要转载请取得翻译作者同意。

数据来源:ATT&CK Matrices

原文: https://attack.mitre.org/techniques/T1516

术语表: /attack/glossary

input注入

恶意应用程序可以向用户界面注入输入,以通过滥用Android的可访问性API来模仿用户交互。

可以使用以下任何一种方法来实现输入注入:

  • 模仿用户在屏幕上的点击,例如从用户的PayPal帐户中窃取资金。
  • 注入全局动作,例如GLOBAL_ACTION_BACK(以编程方式模仿物理后退按钮的按下),以代表用户触发动作。
  • 代表用户将输入插入文本字段。合法使用此方法由密码管理器等应用程序自动填充文本字段。

A malicious application can inject input to the user interface to mimic user interaction through the abuse of Android's accessibility APIs.Input Injection(T1516) can be achieved using any of the following methods:

  • Mimicking user clicks on the screen, for example to steal money from a user's PayPal account.
  • Injecting global actions, such as GLOBAL_ACTION_BACK (programatically mimicking a physical back button press), to trigger actions on behalf of the user.
  • Inserting input into text fields on behalf of the user. This method is used legitimately to auto-fill text fields by applications such as password managers.

标签

ID编号: T1516

战术类型: 事后访问设备

策略: 绕过防御,影响

平台: Android

程序示例

名称 描述
Gustuff(S0406) GLOBAL_ACTION_BACK如果检测到对打开的防病毒应用程序的调用,则Gustuff会]注入全局操作来模仿按下后退按钮以关闭该应用程序。
Riltok(S0403) Riltok(S0403)注入输入以通过单击屏幕上的适当位置将其自身设置为默认SMS处理程序。它还可以关闭或最小化目标防病毒应用程序和设备安全设置屏幕。
Name Description
Gustuff(S0406) Gustuff(S0406) injects the global action GLOBAL_ACTION_BACK to mimic pressing the back button to close the application if a call to an open antivirus application is detected.
Riltok(S0403) Riltok(S0403) injects input to set itself as the default SMS handler by clicking the appropriate places on the screen. It can also close or minimize targeted antivirus applications and the device security settings screen

缓解措施

缓解 描述
应用审查(M1005) 注册可访问性服务的应用程序应进一步检查是否存在恶意行为。
企业政策(M1012) EMM / MDM可以使用Android DevicePolicyManager.setPermittedAccessibilityServices方法将允许使用Android的辅助功能的应用程序列入白名单。
用户指南(M1011) 应警告用户不要授予对辅助功能的访问权限,并仔细检查请求此危险权限的应用程序。
Mitigation Description
Application Vetting(M1005) Applications that register an accessibility service should be scrutinized further for malicious behavior.
Enterprise Policy(M1012) An EMM/MDM can use the Android DevicePolicyManager.setPermittedAccessibilityServices method to whitelist applications that are allowed to use Android's accessibility features.
User Guidance(M1011) Users should be warned against granting access to accessibility features, and to carefully scrutinize applications that request this dangerous permission

检测

用户可以在设备设置的辅助功能菜单中查看已注册辅助功能服务的应用程序。

Users can view applications that have registered accessibility services in the accessibility menu within the device settings.