T1411: Input Prompt
The operating system and installed applications often have legitimate needs to prompt the user for sensitive information such as account credentials, bank account information, or Personally Identifiable Information (PII). Adversaries may mimic this functionality to prompt users for sensitive information.
Compared to traditional PCs, the constrained display size of mobile devices may impair the ability to provide users with contextual information, making users more susceptible to this technique’s use.[1]
Specific approaches to this technique include:
### Impersonate the identity of a legitimate application
A malicious application could impersonate the identity of a legitimate application (e.g. use the same application name and/or icon) and get installed on the device. The malicious app could then prompt the user for sensitive information.[2]
### Display a prompt on top of a running legitimate application
A malicious application could display a prompt on top of a running legitimate application to trick users into entering sensitive information into the malicious application rather than the legitimate application. Typically, the malicious application would need to know when the targeted application (and individual activity within the targeted application) is running in the foreground, so that the malicious application knows when to display its prompt. Android 5.0 and 5.1.1, respectively, increased the difficulty of determining the current foreground application through modifications to the `ActivityManager` API.[3][4]. A malicious application can still abuse Android’s accessibility features to determine which application is currently in the foreground.[5] Approaches to display a prompt include:
* A malicious application could start a new activity on top of a running legitimate application.[1][6] Android 10 places new restrictions on the ability for an application to start a new activity on top of another application, which may make it more difficult for adversaries to utilize this technique.[7] * A malicious application could create an application overlay window on top of a running legitimate application. Applications must hold the `SYSTEM_ALERT_WINDOW` permission to create overlay windows. This permission is handled differently than typical Android permissions, and at least under certain conditions is automatically granted to applications installed from the Google Play Store.[8][9][10] The `SYSTEM_ALERT_WINDOW` permission and its associated ability to create application overlay windows are expected to be deprecated in a future release of Android in favor of a new API.[11]
### Fake device notifications
A malicious application could send fake device notifications to the user. Clicking on the device notification could trigger the malicious application to display an input prompt.[12]
This ATT&CK object is revoked or deprecated in the current MITRE ATT&CK release.
It remains available for historical context and inbound links. Use current ATT&CK relationships and replacement guidance before basing detection or reporting work on this page.
Analyst summary pending validation
Glexia publishes ATT&CK takes only after source-hash and schema validation. Until then, use the official MITRE definition below and the defensive relationship context on this page.
Input Prompt
The operating system and installed applications often have legitimate needs to prompt the user for sensitive information such as account credentials, bank account information, or Personally Identifiable Information (PII). Adversaries may mimic this functionality to prompt users for sensitive information.
Compared to traditional PCs, the constrained display size of mobile devices may impair the ability to provide users with contextual information, making users more susceptible to this technique’s use.[1]
Specific approaches to this technique include:
### Impersonate the identity of a legitimate application
A malicious application could impersonate the identity of a legitimate application (e.g. use the same application name and/or icon) and get installed on the device. The malicious app could then prompt the user for sensitive information.[2]
### Display a prompt on top of a running legitimate application
A malicious application could display a prompt on top of a running legitimate application to trick users into entering sensitive information into the malicious application rather than the legitimate application. Typically, the malicious application would need to know when the targeted application (and individual activity within the targeted application) is running in the foreground, so that the malicious application knows when to display its prompt. Android 5.0 and 5.1.1, respectively, increased the difficulty of determining the current foreground application through modifications to the `ActivityManager` API.[3][4]. A malicious application can still abuse Android’s accessibility features to determine which application is currently in the foreground.[5] Approaches to display a prompt include:
* A malicious application could start a new activity on top of a running legitimate application.[1][6] Android 10 places new restrictions on the ability for an application to start a new activity on top of another application, which may make it more difficult for adversaries to utilize this technique.[7] * A malicious application could create an application overlay window on top of a running legitimate application. Applications must hold the `SYSTEM_ALERT_WINDOW` permission to create overlay windows. This permission is handled differently than typical Android permissions, and at least under certain conditions is automatically granted to applications installed from the Google Play Store.[8][9][10] The `SYSTEM_ALERT_WINDOW` permission and its associated ability to create application overlay windows are expected to be deprecated in a future release of Android in favor of a new API.[11]
### Fake device notifications
A malicious application could send fake device notifications to the user. Clicking on the device notification could trigger the malicious application to display an input prompt.[12]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Related techniques
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1417.002 | GUI Input Capture Sub-technique | This object revoked by GUI Input Capture. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.1 | Current bundle Revoked | cc3311b92c7a… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Felt-PhishingOnMobileDevices
A.P. Felt and D. Wagner. (2011, May 26). Phishing on Mobile Devices. Retrieved August 25, 2016.
Open source URL -
[2]
eset-finance
Lukáš Štefanko. (2016, July 7). Fake finance apps on Google Play target users from around the world. Retrieved September 24, 2018.
Open source URL -
[3]
Android-getRunningTasks
Android. (n.d.). ActivityManager getRunningTasks documentation. Retrieved January 19, 2017.
Open source URL -
[4]
StackOverflow-getRunningAppProcesses
Various. (n.d.). Android 5.1.1 and above - getRunningAppProcesses() returns my application package only. Retrieved January 19, 2017.
Open source URL -
[5]
ThreatFabric Cerberus
ThreatFabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved September 18, 2019.
Open source URL -
[6]
Hassell-ExploitingAndroid
R. Hassell. (2011, October 12-13). Exploiting Androids for Fun and Profit. Retrieved October 10, 2019.
Open source URL -
[7]
Android Background
Android Developers. (n.d.). Restrictions on starting activities from the background. Retrieved September 18, 2019.
Open source URL -
[8]
Cloak and Dagger
Fratantonio, Y., et al.. (2017). Cloak & Dagger. Retrieved September 18, 2019.
Open source URL -
[9]
NowSecure Android Overlay
Ramirez, T.. (2017, May 25). ‘SAW’-ing through the UI: Android overlay malware and the System Alert Window permission explained. Retrieved September 18, 2019.
Open source URL -
[10]
Skycure-Accessibility
Yair Amit. (2016, March 3). “Accessibility Clickjacking” – The Next Evolution in Android Malware that Impacts More Than 500 Million Devices. Retrieved December 21, 2016.
Open source URL -
[11]
XDA Bubbles
Rahman, M.. (2019, May 8). Bubbles in Android Q will fully replace the overlay API in a future Android version. Retrieved September 18, 2019.
Open source URL -
[12]
Group IB Gustuff Mar 2019
Group-IB. (2019, March 28). Group-IB uncovers Android Trojan named «Gustuff» capable of targeting more than 100 global banking apps, cryptocurrency and marketplace applications. Retrieved September 3, 2019.
Open source URL -
[13]
NIST Mobile Threat Catalogue APP-31Open source URL
-
[14]
mitre-attack T1411Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.