Détail du CAPEC-504

An adversary, through a previously installed malicious application, impersonates an expected or routine task in an attempt to steal sensitive information or leverage a user's privileges.

Flux d'exécution

[Determine suitable tasks to exploit] Determine what tasks exist on the target system that may result in a user providing sensitive information.

• Determine what tasks prompt a user for their credentials.
• Determine what tasks may prompt a user to authorize a process to execute with elevated privileges.

[Impersonate Task] Impersonate a legitimate task, either expected or unexpected, in an attempt to gain user credentials or to ride the user's privileges.

• Prompt a user for their credentials, while making the user believe the credential request is legitimate.
• Prompt a user to authorize a task to run with elevated privileges, while making the user believe the request is legitimate.

Conditions préalables

The adversary must already have access to the target system via some means.
A legitimate task must exist that an adversary can impersonate to glean credentials.
The user's privileges allow them to execute certain tasks with elevated privileges.

Compétences requises

Once an adversary has gained access to the target system, impersonating a task is trivial.

Ressources nécessaires

Malware or some other means to initially comprise the target system.
Additional malware to impersonate a legitimate task.

Atténuations

The only known mitigation to this attack is to avoid installing the malicious application on the device. However, to impersonate a running task the malicious application does need the GET_TASKS permission to be able to query the task list, and being suspicious of applications with that permission can help.

Faiblesses connexes

Références

REF-434

Phishing on Mobile Devices
Adrienne Porter Felt, David Wagner.
https://people.eecs.berkeley.edu/~daw/papers/mobphish-w2sp11.pdf

Soumission

Modifications