Access Notifications

Adversaries may collect data within notifications sent by the operating system or other applications. Notifications may contain sensitive data such as one-time authentication codes sent over SMS, email, or other mediums. In the case of Credential Access, adversaries may attempt to intercept one-time code sent to the device. Adversaries can also dismiss notifications to prevent the user from noticing that the notification has arrived and can trigger action buttons contained within notifications.[1]

ID: T1517
Sub-techniques:  No sub-techniques
Tactic Type: Post-Adversary Device Access
Platforms: Android
Version: 1.1
Created: 15 September 2019
Last Modified: 11 April 2022

Procedure Examples

ID Name Description
S0432 Bread

Bread can collect device notifications.[2]

S0425 Corona Updates

Corona Updates can collect messages from GSM, WhatsApp, Telegram, Facebook, and Threema by reading the application’s notification content.[3]

S0485 Mandrake

Mandrake can capture all device notifications and hide notifications from the user.[4]

S0489 WolfRAT

WolfRAT can receive system notifications.[5]

Mitigations

ID Mitigation Description
M1013 Application Developer Guidance

Application developers could be encouraged to avoid placing sensitive data in notification text.

M1012 Enterprise Policy

On Android devices with a work profile, the DevicePolicyManager.setPermittedCrossProfileNotificationListeners method can be used to manage the list of applications running within the personal profile that can access notifications generated within the work profile. This policy would not affect notifications generated by the rest of the device. The DevicePolicyManager.setApplicationHidden method can be used to disable notification access for unwanted applications, but this method would also block that entire application from running.[6]

M1011 User Guidance

Users should be wary of granting applications dangerous or privacy-intrusive permissions, such as access to notifications.

Detection

Application vetting services can look for applications requesting the BIND_NOTIFICATION_LISTENER_SERVICE permission in a service declaration. Users can also inspect and modify the list of applications that have notification access through the device settings (e.g. Apps & notification -> Special app access -> Notification access).

References