Adversaries may abuse clipboard manager APIs to obtain sensitive information copied to the device clipboard. For example, passwords being copied and pasted from a password manager application could be captured by a malicious application installed on the device.^[1]

On Android, applications can use the ClipboardManager.OnPrimaryClipChangedListener() API to register as a listener and monitor the clipboard for changes. However, starting in Android 10, this can only be used if the application is in the foreground, or is set as the device’s default input method editor (IME).^[2][3]

On iOS, this can be accomplished by accessing the UIPasteboard.general.string field. However, starting in iOS 14, upon accessing the clipboard, the user will be shown a system notification if the accessed text originated in a different application. For example, if the user copies the text of an iMessage from the Messages application, the notification will read “application_name has pasted from Messages” when the text was pasted in a different application.^[4]

References:

1. Fahl, S, et al.. (2013). Hey, You, Get Off of My Clipboard. Retrieved September 12, 2024.
2. Pearce, G. (, January). Retrieved August 8, 2019.
3. Android Developers. (n.d.). Privacy changes in Android 10. Retrieved September 11, 2019.
4. Apple Developer. (n.d.). UIPasteboard. Retrieved April 1, 2022.

Adversaries may mimic common operating system GUI components to prompt users for sensitive information with a seemingly legitimate prompt. The operating system and installed applications often have legitimate needs to prompt the user for sensitive information such as account credentials, bank account information, or Personally Identifiable Information (PII). Compared to traditional PCs, the constrained display size of mobile devices may impair the ability to provide users with contextual information, making users more susceptible to this technique’s use.^[1]

There are several approaches adversaries may use to mimic this functionality. Adversaries may impersonate the identity of a legitimate application (e.g. use the same application name and/or icon) and, when installed on the device, may prompt the user for sensitive information.^[2] Adversaries may also send fake device notifications to the user that may trigger the display of an input prompt when clicked.^[3]

Additionally, adversaries may display a prompt on top of a running, legitimate application to trick users into entering sensitive information into a malicious application rather than the legitimate application. Typically, adversaries need to know when the targeted application and the individual activity within the targeted application is running in the foreground to display the prompt at the proper time. Adversaries can abuse Android’s accessibility features to determine which application is currently in the foreground.^[4] Two known approaches to displaying a prompt include:

• Adversaries start a new activity on top of a running legitimate application.^[1][5] Android 10 places new restrictions on the ability for an application to start a new activity on top of another application, which may make it more difficult for adversaries to utilize this technique.^[6]
• Adversaries create an application overlay window on top of a running legitimate application. Applications must hold the SYSTEM_ALERT_WINDOW permission to create overlay windows. This permission is handled differently than typical Android permissions and, at least under certain conditions, is automatically granted to applications installed from the Google Play Store.^[7][8][9] The SYSTEM_ALERT_WINDOW permission and its associated ability to create application overlay windows are expected to be deprecated in a future release of Android in favor of a new API.^[10]

References:

1. A.P. Felt and D. Wagner. (2011, May 26). Phishing on Mobile Devices. Retrieved August 25, 2016.
2. Lukáš Štefanko. (2016, July 7). Fake finance apps on Google Play target users from around the world. Retrieved September 24, 2018.
3. Group-IB. (2019, March 28). Group-IB uncovers Android Trojan named «Gustuff» capable of targeting more than 100 global banking apps, cryptocurrency and marketplace applications. Retrieved September 3, 2019.
4. ThreatFabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved September 18, 2019.
5. R. Hassell. (2011, October 12-13). Exploiting Androids for Fun and Profit. Retrieved October 10, 2019.
6. Android Developers. (n.d.). Restrictions on starting activities from the background. Retrieved September 18, 2019.
7. Fratantonio, Y., et al.. (2017). Cloak & Dagger. Retrieved September 12, 2024.
8. Ramirez, T.. (2017, May 25). ‘SAW’-ing through the UI: Android overlay malware and the System Alert Window permission explained. Retrieved September 18, 2019.
9. Yair Amit. (2016, March 3). “Accessibility Clickjacking” – The Next Evolution in Android Malware that Impacts More Than 500 Million Devices. Retrieved December 21, 2016.
10. Rahman, M.. (2019, May 8). Bubbles in Android Q will fully replace the overlay API in a future Android version. Retrieved September 18, 2019.

A malicious application could suppress its icon from being displayed to the user in the application launcher. This hides the fact that it is installed, and can make it more difficult for the user to uninstall the application. Hiding the application's icon programmatically does not require any special permissions.

This behavior has been seen in the BankBot/Spy Banker family of malware.^[1][2][3]

Beginning in Android 10, changes were introduced to inhibit malicious applications’ ability to hide their icon. If an app is a system app, requests no permissions, or does not have a launcher activity, the application’s icon will be fully hidden. Further, if the device is fully managed or the application is in a work profile, the icon will be fully hidden. Otherwise, a synthesized activity is shown, which is a launcher icon that represents the app’s details page in the system settings. If the user clicks the synthesized activity in the launcher, they are taken to the application’s details page in the system settings.^[4][5]

References:

1. Lukáš Štefanko. (2018, December 11). Android Trojan steals money from PayPal accounts even with 2FA on. Retrieved July 11, 2019.
2. Lukáš Štefanko. (2017, February 22). Sunny with a chance of stolen credentials: Malicious weather app found on Google Play. Retrieved July 11, 2019.
3. NJCCIC. (2017, March 2). BankBot/Spy Banker. Retrieved September 12, 2024.
4. Android. (n.d.). Android 10 Release Notes: Limitations to hiding app icons. Retrieved March 30, 2022.
5. Android. (n.d.). LauncherApps: getActivityList. Retrieved March 30, 2022.