T1516: Input Injection
A malicious application can inject input to the user interface to mimic user interaction through the abuse of Android's accessibility APIs.
Input Injection can be achieved using any of the following methods:
* Mimicking user clicks on the screen, for example to steal money from a user's PayPal account.[1] * Injecting global actions, such as `GLOBAL_ACTION_BACK` (programatically mimicking a physical back button press), to trigger actions on behalf of the user.[2] * Inserting input into text fields on behalf of the user. This method is used legitimately to auto-fill text fields by applications such as password managers.[3]
Analyst context for executives and security teams
Input Injection is an Android mobile technique where a malicious app abuses Accessibility APIs to act like the user: clicking buttons, sending global actions such as Back, or filling text fields. For leaders, the business issue is not just malware on a phone; it is whether mobile devices used for banking, cryptocurrency, email, social media, or workforce access can be trusted when an app can perform actions that appear user-approved.
Executive priority
Prioritize this where Android devices are used for sensitive transactions, workforce identity flows, or regulated business processes. ATT&CK links this behavior to multiple Android banking malware families, making it relevant to fraud prevention, mobile device governance, help desk/IR playbooks, and audit evidence around enterprise mobility controls. Executives should ask whether the organization can identify risky accessibility permissions, enforce mobile policy through EMM/MDM, and guide users on when accessibility prompts are unsafe.
Technical view
SOC, mobile security, and IR teams should validate Android-focused coverage for abuse of Accessibility Services rather than relying only on generic malware alerts. The object has no official ATT&CK detection text, but ATT&CK does identify a related detection strategy, DET0612. Practical validation should focus on apps requesting or using accessibility capabilities, apps performing UI-like actions inconsistent with business need, and cases where text entry or global actions are triggered by an app on behalf of the user. Tuning must account for legitimate use, especially password managers and other approved autofill tools.
Likely telemetry
- Android application inventory and package metadata from managed devices
- Accessibility Service enablement status and permission/configuration changes where available
- EMM/MDM compliance state and policy enforcement records
- Mobile threat defense or device security alerts related to suspicious accessibility abuse
- User reports or help desk cases involving unexpected clicks, navigation, autofill, or transaction prompts
Detection direction
- Confirm whether DET0612 or equivalent mobile detection logic is implemented for Android accessibility abuse.
- Baseline approved apps that legitimately use autofill or accessibility features to reduce false positives.
- Alert on newly installed or unapproved apps granted accessibility capabilities on managed Android devices.
- Correlate suspicious accessibility permission grants with high-risk apps or user reports of unauthorized UI actions.
- Treat lack of mobile telemetry as a coverage gap: this technique may not be visible to network or endpoint controls designed for traditional desktops.
Mitigation priorities
- Use Enterprise Policy through EMM/MDM to restrict or govern mobile application behavior where supported.
- Maintain approved app lists and review applications that request accessibility-related capabilities.
- Provide User Guidance so users understand that accessibility prompts can enable an app to control the interface.
- Include mobile accessibility abuse in incident response triage for suspected account takeover, banking fraud, or unauthorized mobile actions.
- Document mobile policy enforcement and exception handling as compliance evidence for managed Android environments.
Analyst notes and limits
ATT&CK relationships associate this technique with Android malware including Riltok, Gustuff, Ginp, TrickMo, DEFENSOR ID, Cerberus, Mandrake, Zen, TERRACOTTA, SharkBot, S.O.V.A., BRATA, GodFather, and Crocodilus. Those relationships support defensive prioritization for mobile malware and fraud scenarios, but they do not prove activity in any specific environment.
The ATT&CK object lists Android as the platform but does not specify tactics and provides no official detection text. Local mobile management, device logging, and application approval data are required to determine actual exposure and coverage. Legitimate accessibility and autofill use can create ambiguity, so detections should be validated against enterprise-approved applications.
Input Injection
A malicious application can inject input to the user interface to mimic user interaction through the abuse of Android's accessibility APIs.
Input Injection can be achieved using any of the following methods:
* Mimicking user clicks on the screen, for example to steal money from a user's PayPal account.[1] * Injecting global actions, such as `GLOBAL_ACTION_BACK` (programatically mimicking a physical back button press), to trigger actions on behalf of the user.[2] * Inserting input into text fields on behalf of the user. This method is used legitimately to auto-fill text fields by applications such as password managers.[3]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Groups, software, and campaigns
S1062: S.O.V.A.
S.O.V.A. is an Android banking trojan that was first identified in August 2021 and has subsequently been found in a variety of applications, including banking, cryptocurrency wallet/exchange, and shopping apps. S.O.V.A., which is Russian for "owl", contains features not commonly found in Android malware, such as session cookie theft.[1][2]
S0479: DEFENSOR ID
DEFENSOR ID is a banking trojan capable of clearing a victim’s bank account or cryptocurrency wallet and taking over email or social media accounts. DEFENSOR ID performs the majority of its malicious functionality by abusing Android’s accessibility service.[1]
S0423: Ginp
S0545: TERRACOTTA
TERRACOTTA is an ad fraud botnet that has been capable of generating over 2 billion fraudulent requests per week.[1]
S1055: SharkBot
S0427: TrickMo
S1094: BRATA
BRATA (Brazilian Remote Access Tool, Android), is an evolving Android malware strain, detected in late 2018 and again in late 2021. Originating in Brazil, BRATA was later also found in the UK, Poland, Italy, Spain, and USA, where it is believed to have targeted financial institutions such as banks. There are currently three known variants of BRATA.[1][2][3]
S9004: Crocodilus
Crocodilus is an Android banking Trojan that was discovered in March 2025. Crocodilus targeted users worldwide, including Turkey, Poland, Argentina, Brazil, Spain, the United States, Indonesia and India. Crocodilus has been customized based on the target location. For example, Crocodilus mimicked major Turkish and Spanish banks for users in Turkey and Spain, while users in Poland saw Facebook advertisements that promoted Crocodilus to claim bonus points.[1][2]
S0485: Mandrake
Mandrake is a sophisticated Android espionage platform that has been active in the wild since at least 2016. Mandrake is very actively maintained, with sophisticated features and attacks that are executed with surgical precision.
Mandrake has gone undetected for several years by providing legitimate, ad-free applications with social media and real reviews to back the apps. The malware is only activated when the operators issue a specific command.[1]
S0494: Zen
S1231: GodFather
GodFather is an Android banking malware that uses virtualization to mimic legitimate applications and abuses accessibility services and other permissions to evade detection and exfiltrate sensitive data. First identified in 2020, GodFather targets nearly 500 banking applications, cryptocurrency wallets, and exchanges worldwide; however, its virtualization-based attacks have primarily focused on several Turkish financial institutions. This capability enables threat actors to steal banking credentials and other sensitive account information. [1][2]
S0406: Gustuff
All related ATT&CK context
Mitigation direction
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | ae9dce783911… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
android-trojan-steals-paypal-2fa
Lukáš Štefanko. (2018, December 11). Android Trojan steals money from PayPal accounts even with 2FA on. Retrieved July 11, 2019.
Open source URL -
[2]
Talos Gustuff Apr 2019
Vitor Ventura. (2019, April 9). Gustuff banking botnet targets Australia . Retrieved September 3, 2019.
Open source URL -
[3]
bitwarden autofill logins
Bitwarden. (n.d.). Auto-fill logins on Android . Retrieved September 15, 2019.
Open source URL -
[4]
mitre-attack T1516Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.