Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T1417.002: GUI Input Capture

Adversaries may mimic common operating system GUI components to prompt users for sensitive information with a seemingly legitimate prompt. The operating system and installed applications often have legitimate needs to prompt the user for sensitive information such as account credentials, bank account information, or Personally Identifiable Information (PII). Compared to traditional PCs, the constrained display size of mobile devices may impair the ability to provide users with contextual information, making users more susceptible to this technique’s use.[1]

There are several approaches adversaries may use to mimic this functionality. Adversaries may impersonate the identity of a legitimate application (e.g. use the same application name and/or icon) and, when installed on the device, may prompt the user for sensitive information.[2] Adversaries may also send fake device notifications to the user that may trigger the display of an input prompt when clicked.[3]

Additionally, adversaries may display a prompt on top of a running, legitimate application to trick users into entering sensitive information into a malicious application rather than the legitimate application. Typically, adversaries need to know when the targeted application and the individual activity within the targeted application is running in the foreground to display the prompt at the proper time. Adversaries can abuse Android’s accessibility features to determine which application is currently in the foreground.[4] Two known approaches to displaying a prompt include:

* Adversaries start a new activity on top of a running legitimate application.[1][5] Android 10 places new restrictions on the ability for an application to start a new activity on top of another application, which may make it more difficult for adversaries to utilize this technique.[6] * Adversaries create an application overlay window on top of a running legitimate application. Applications must hold the `SYSTEM_ALERT_WINDOW` permission to create overlay windows. This permission is handled differently than typical Android permissions and, at least under certain conditions, is automatically granted to applications installed from the Google Play Store.[7][8][9] The `SYSTEM_ALERT_WINDOW` permission and its associated ability to create application overlay windows are expected to be deprecated in a future release of Android in favor of a new API.[10]

MobileT1417.002Sub-techniqueObject v1.1 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

GUI Input Capture is a mobile credential and sensitive-data theft behavior where a malicious app presents a convincing prompt, notification, activity, or overlay that looks like a legitimate operating system or application request. Its business significance is that the compromise may start with user trust rather than a software exploit: employees can be tricked into entering credentials, banking data, or PII on Android or iOS devices, especially where the small mobile screen limits context.

Executive priority

Treat this as a mobile identity and data-protection risk. Leaders should ask whether managed mobile devices restrict risky app permissions, whether users can report suspicious prompts, and whether the SOC can investigate mobile events tied to credential exposure. For compliance and incident readiness, the key question is whether the organization can produce evidence of mobile app governance, permission controls, and response procedures when sensitive information may have been entered into an untrusted prompt.

Technical view

ATT&CK provides no official detection text and no relationship context for this object, so validation should focus on mobile-specific evidence. For Android, defenders should review visibility into applications requesting or holding overlay-related capabilities such as SYSTEM_ALERT_WINDOW, use of accessibility features to determine foreground applications, suspicious app impersonation through name or icon similarity, fake notifications that lead to input prompts, and unexpected activities appearing over legitimate applications. iOS is listed as a platform, but the supplied description provides fewer platform-specific detection details for iOS, so local mobile telemetry and MDM capability should drive assessment.

Likely telemetry

  • Mobile device management or enterprise mobility inventory for installed applications and permissions
  • Android application permission data, especially overlay-related permissions and accessibility feature use
  • Mobile security alerts for app impersonation, suspicious notifications, or unexpected prompt behavior
  • User reports of unexpected credential, banking, or PII prompts on mobile devices
  • Application install source, app name, icon, and package metadata where available

Detection direction

  • Confirm whether mobile telemetry can show which apps hold sensitive permissions or accessibility capabilities relevant to foreground-app awareness and overlays.
  • Tune review workflows for apps that mimic legitimate application names or icons, while accounting for benign apps that use branding, notifications, or overlays for legitimate reasons.
  • Validate whether SOC playbooks include user-reported suspicious mobile prompts as actionable evidence, not just endpoint malware alerts.
  • For Android, assess coverage for overlay windows and new activities appearing over legitimate apps; note that Android version behavior may affect feasibility and signal quality.
  • For iOS, avoid assuming equivalent Android-style signals; identify what local MDM, mobile threat defense, or app governance telemetry actually provides.

Mitigation priorities

  • Maintain mobile app governance: restrict untrusted app installation where policy allows and review application identity, source, and requested permissions.
  • Use MDM or equivalent controls to monitor and manage sensitive mobile permissions, particularly overlay and accessibility-related capabilities on Android where available.
  • Harden identity exposure paths by requiring phishing-resistant or stronger authentication where feasible, since this technique targets user-entered secrets.
  • Train users to report unexpected mobile prompts, especially prompts asking for credentials, banking data, or PII immediately after opening another app or clicking a notification.
  • Ensure incident response procedures include mobile device triage, credential reset decisions, and evidence preservation for suspicious prompts.
Analyst notes and limits

This object is a mobile ATT&CK sub-technique, T1417.002 GUI Input Capture, covering Android and iOS. The supplied ATT&CK description gives richer implementation detail for Android, including accessibility abuse, overlay windows, SYSTEM_ALERT_WINDOW, and activity launches over legitimate applications. No tactics, external references, official detection text, aliases, labels, or relationships were supplied.

This take is limited to the supplied official STIX fields and description. It does not establish active exploitation, specific threat actors, prevalence, impact, or guaranteed detectability. Local platform versions, MDM/mobile security tooling, app inventory, and user-reporting evidence are required to determine actual exposure and coverage.

Official MITRE ATT&CK definition

GUI Input Capture

Adversaries may mimic common operating system GUI components to prompt users for sensitive information with a seemingly legitimate prompt. The operating system and installed applications often have legitimate needs to prompt the user for sensitive information such as account credentials, bank account information, or Personally Identifiable Information (PII). Compared to traditional PCs, the constrained display size of mobile devices may impair the ability to provide users with contextual information, making users more susceptible to this technique’s use.[1]

There are several approaches adversaries may use to mimic this functionality. Adversaries may impersonate the identity of a legitimate application (e.g. use the same application name and/or icon) and, when installed on the device, may prompt the user for sensitive information.[2] Adversaries may also send fake device notifications to the user that may trigger the display of an input prompt when clicked.[3]

Additionally, adversaries may display a prompt on top of a running, legitimate application to trick users into entering sensitive information into a malicious application rather than the legitimate application. Typically, adversaries need to know when the targeted application and the individual activity within the targeted application is running in the foreground to display the prompt at the proper time. Adversaries can abuse Android’s accessibility features to determine which application is currently in the foreground.[4] Two known approaches to displaying a prompt include:

* Adversaries start a new activity on top of a running legitimate application.[1][5] Android 10 places new restrictions on the ability for an application to start a new activity on top of another application, which may make it more difficult for adversaries to utilize this technique.[6] * Adversaries create an application overlay window on top of a running legitimate application. Applications must hold the `SYSTEM_ALERT_WINDOW` permission to create overlay windows. This permission is handled differently than typical Android permissions and, at least under certain conditions, is automatically granted to applications installed from the Google Play Store.[7][8][9] The `SYSTEM_ALERT_WINDOW` permission and its associated ability to create application overlay windows are expected to be deprecated in a future release of Android in favor of a new API.[10]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

2 rows
Domain ID Name Relationship / procedure
Mobile T1417 Input Capture This object subtechnique of Input Capture.
Mobile T1411 Input Prompt Input Prompt revoked by this object.
Associated objects

Groups, software, and campaigns

Malware Mobile

S1062: S.O.V.A.

S.O.V.A. is an Android banking trojan that was first identified in August 2021 and has subsequently been found in a variety of applications, including banking, cryptocurrency wallet/exchange, and shopping apps. S.O.V.A., which is Russian for "owl", contains features not commonly found in Android malware, such as session cookie theft.[1][2]

Android
Tool Mobile

S0298: Xbot

Xbot is an Android malware family that was observed in 2016 primarily targeting Android users in Russia and Australia. [1]

Malware Mobile

S1056: TianySpy

TianySpy is a mobile malware primarily spread by SMS phishing between September 30 and October 12, 2021. TianySpy is believed to have targeted credentials associated with membership websites of major Japanese telecommunication services.[1]

AndroidiOS
Malware Mobile

S0478: EventBot

EventBot is an Android banking trojan and information stealer that abuses Android’s accessibility service to steal data from various applications.[1] EventBot was designed to target over 200 different banking and financial applications, the majority of which are European bank and cryptocurrency exchange applications.[1]

Android
Malware Mobile

S0301: Dendroid

Dendroid is an Android remote access tool (RAT) primarily targeting Western countries. The RAT was available for purchase for $300 and came bundled with a utility to inject the RAT into legitimate applications.[1]

Android
Malware Mobile

S1069: TangleBot

TangleBot is SMS malware that was initially observed in September 2021, primarily targeting mobile users in the United States and Canada. TangleBot has used SMS text message lures about COVID-19 regulations and vaccines to trick mobile users into downloading the malware, similar to FluBot Android malware campaigns.[1]

Android
Malware Mobile

S0480: Cerberus

Cerberus is a banking trojan whose usage can be rented on underground forums and marketplaces. Prior to being available to rent, the authors of Cerberus claim was used in private operations for two years.[1]

Android
Relationship explorer

All related ATT&CK context

uses · Malware S0558: Tiktok Pro Mobile uses · Malware S1062: S.O.V.A. Mobile uses · Malware S0399: Pallas Mobile uses · Malware S0297: XcodeGhost Mobile uses · Tool S0298: Xbot Mobile mitigates · Mitigation M1006: Use Recent OS Version Mobile uses · Malware S0545: TERRACOTTA Mobile uses · Malware S1056: TianySpy Mobile uses · Malware S0478: EventBot Mobile uses · Malware S0301: Dendroid Mobile uses · Malware S0539: Red Alert 2.0 Mobile subtechnique of · Technique T1417: Input Capture Mobile uses · Malware S1069: TangleBot Mobile revoked by · Technique T1411: Input Prompt Mobile detects · Detection Strategy DET0676: Detection of GUI Input Capture Mobile uses · Malware S0480: Cerberus Mobile uses · Malware S1083: Chameleon Mobile uses · Malware S1067: FluBot Mobile uses · Malware S0422: Anubis Mobile uses · Malware S0423: Ginp Mobile uses · Malware S1054: Drinik Mobile uses · Malware S0403: Riltok Mobile uses · Malware S0411: Rotexy Mobile uses · Malware S0406: Gustuff Mobile
Mitigations

Mitigation direction

Mitigation Mobile

M1006: Use Recent OS Version

New mobile operating system versions bring not only patches against discovered vulnerabilities but also often bring security architecture improvements that provide resilience against potential vulnerabilities or weaknesses that have not yet been discovered. They may also bring improvements that block use of observed adversary techniques.

Mitigation Mobile

M1012: Enterprise Policy

An enterprise mobility management (EMM), also known as mobile device management (MDM), system can be used to provision policies to mobile devices to control aspects of their allowed behavior.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.1
Created
Modified
Raw hash
5b436a434c0e6549...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.1 Current bundle 5b436a434c0e…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Felt-PhishingOnMobileDevices

    A.P. Felt and D. Wagner. (2011, May 26). Phishing on Mobile Devices. Retrieved August 25, 2016.

    Open source URL
  2. [2]
    eset-finance

    Lukáš Štefanko. (2016, July 7). Fake finance apps on Google Play target users from around the world. Retrieved September 24, 2018.

    Open source URL
  3. [3]
    Group IB Gustuff Mar 2019

    Group-IB. (2019, March 28). Group-IB uncovers Android Trojan named «Gustuff» capable of targeting more than 100 global banking apps, cryptocurrency and marketplace applications. Retrieved September 3, 2019.

    Open source URL
  4. [4]
    ThreatFabric Cerberus

    ThreatFabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved September 18, 2019.

    Open source URL
  5. [5]
    Hassell-ExploitingAndroid

    R. Hassell. (2011, October 12-13). Exploiting Androids for Fun and Profit. Retrieved October 10, 2019.

    Open source URL
  6. [6]
    Android Background

    Android Developers. (n.d.). Restrictions on starting activities from the background. Retrieved September 18, 2019.

    Open source URL
  7. [7]
    Cloak and Dagger

    Fratantonio, Y., et al.. (2017). Cloak & Dagger. Retrieved September 12, 2024.

    Open source URL
  8. [8]
    NowSecure Android Overlay

    Ramirez, T.. (2017, May 25). ‘SAW’-ing through the UI: Android overlay malware and the System Alert Window permission explained. Retrieved September 18, 2019.

    Open source URL
  9. [9]
    Skycure-Accessibility

    Yair Amit. (2016, March 3). “Accessibility Clickjacking” – The Next Evolution in Android Malware that Impacts More Than 500 Million Devices. Retrieved November 17, 2024.

    Open source URL
  10. [10]
    XDA Bubbles

    Rahman, M.. (2019, May 8). Bubbles in Android Q will fully replace the overlay API in a future Android version. Retrieved September 18, 2019.

    Open source URL
  11. [11]
    NIST Mobile Threat Catalogue APP-31
    Open source URL
  12. [12]
    mitre-attack T1417.002
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use