Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T1517: Access Notifications

Adversaries may collect data within notifications sent by the operating system or other applications. Notifications may contain sensitive data such as one-time authentication codes sent over SMS, email, or other mediums. In the case of Credential Access, adversaries may attempt to intercept one-time code sent to the device. Adversaries can also dismiss notifications to prevent the user from noticing that the notification has arrived and can trigger action buttons contained within notifications.[1]

MobileT1517TechniqueObject v1.2 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

Access Notifications matters because Android notifications often contain business-sensitive content, including one-time authentication codes. If a malicious app can read, dismiss, or act on notifications, it may weaken MFA workflows and hide activity from the user. For leaders, this is less about one alert and more about whether mobile governance can prove which apps are allowed to see notification data on managed Android devices.

Executive priority

Prioritize this where Android devices are used for workforce access, banking/payment workflows, privileged administration, or MFA code delivery. The decision value is to validate whether EMM/MDM policy, user guidance, and application security requirements reduce exposure to apps that can access notification content. This also supports audit evidence for mobile access controls and incident response decisions when account takeover or suspicious mobile activity is suspected.

Technical view

For SOC, detection engineering, and IR teams, treat T1517 as Android mobile telemetry validation. ATT&CK provides no official detection text, but it maps a detection strategy, DET0611, to this behavior. Validate whether managed devices expose evidence of applications with notification-related access, suspicious notification dismissal or action behavior where available, risky app installation sources, and mobile security alerts. Relationship context shows this technique is used by multiple Android malware entries and one campaign, so triage should include installed-app review, device compliance state, and whether sensitive OTP or application notifications were present on the device during the suspected window.

Likely telemetry

  • Android EMM/MDM inventory, compliance, and policy enforcement records
  • Installed application inventory, package metadata, app source, and version history
  • Device permission and special-access state where available, especially notification-related access
  • Mobile threat defense or endpoint security alerts for Android applications
  • Authentication logs showing OTP, MFA, or account access events correlated to the mobile device/user

Detection direction

  • Confirm whether DET0611 or equivalent mobile detection logic is implemented and mapped to Android notification access behavior.
  • Tune detections around newly installed or untrusted apps that gain access to notification content, especially on devices used for MFA or sensitive business applications.
  • Correlate mobile app events with identity logs; notification access becomes higher priority when followed by successful authentication, MFA changes, or account activity anomalies.
  • Watch for blind spots: unmanaged Android devices, BYOD devices with limited telemetry, third-party app stores, and lack of visibility into special app access settings.
  • Expect false positives from legitimate productivity, wearable, accessibility, or notification-management apps; triage should consider business justification, publisher trust, installation source, and device ownership.

Mitigation priorities

  • Use enterprise policy through EMM/MDM to restrict risky device behavior and enforce mobile compliance where feasible.
  • Provide user guidance on avoiding unnecessary notification access grants and risky app installation behavior.
  • Reduce sensitive content in notifications for enterprise applications where application developer guidance can be applied.
  • Review MFA delivery methods and avoid over-reliance on notification-exposed one-time codes for high-risk access paths where stronger alternatives are available.
  • During incidents, revoke sessions or credentials as appropriate and review mobile device app inventory before restoring trust in the device.
Analyst notes and limits

This object is Android-specific and has no ATT&CK tactic listed in the supplied fields. ATT&CK’s description explicitly highlights sensitive notification content, one-time authentication codes, dismissal of notifications, and triggering notification action buttons. The relationship set is useful for prioritization because several Android malware/software entries are mapped as using this behavior, but those mappings should not be interpreted as proof of current exposure in any specific environment.

Official detection text is not provided, and the supplied DET0611 relationship does not include detection details. Local telemetry availability will vary significantly by Android version, EMM/MDM configuration, BYOD policy, and mobile security tooling. This take does not assert active exploitation, specific attribution, or guaranteed detection coverage.

Official MITRE ATT&CK definition

Access Notifications

Adversaries may collect data within notifications sent by the operating system or other applications. Notifications may contain sensitive data such as one-time authentication codes sent over SMS, email, or other mediums. In the case of Credential Access, adversaries may attempt to intercept one-time code sent to the device. Adversaries can also dismiss notifications to prevent the user from noticing that the notification has arrived and can trigger action buttons contained within notifications.[1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Associated objects

Groups, software, and campaigns

Malware Mobile

S1061: AbstractEmu

AbstractEmu is mobile malware that was first seen in Google Play and other third-party stores in October 2021. It was discovered in 19 Android applications, of which at least 7 abused known Android exploits for obtaining root permissions. AbstractEmu was observed primarily impacting users in the United States, however victims are believed to be across a total of 17 countries.[1]

Android
Malware Mobile

S1195: SpyC23

SpyC23 is a mobile malware that has been used by APT-C-23 since at least 2017. SpyC23 has been observed primarily targeting Android devices in the Middle East.[1]

There are multiple close variants of SpyC23, such as VAMP[2], GnatSpy[3], Desert Scorpion and FrozenCell, which add some additional functionality but are not significantly different from the original malware.

Android
Malware Mobile

S0432: Bread

Bread was a large-scale billing fraud malware family known for employing many different cloaking and obfuscation techniques in an attempt to continuously evade Google Play Store’s malware detection. 1,700 unique Bread apps were detected and removed from the Google Play Store before being downloaded by users.[1]

Android
Malware Mobile

S0485: Mandrake

Mandrake is a sophisticated Android espionage platform that has been active in the wild since at least 2016. Mandrake is very actively maintained, with sophisticated features and attacks that are executed with surgical precision.

Mandrake has gone undetected for several years by providing legitimate, ad-free applications with social media and real reviews to back the apps. The malware is only activated when the operators issue a specific command.[1]

Android
Malware Mobile

S1083: Chameleon

Chameleon is an Android banking trojan that can leverage Android’s Accessibility Services to perform malicious activities. Believed to have been first active in January 2023, Chameleon has been observed targeting users in Australia and Poland by masquerading as official applications. A new variant of Chameleon has expanded its targets to include Android users in the United Kingdom and Italy.[1][2]

Android
Malware Mobile

S0425: Corona Updates

Corona Updates is Android spyware that took advantage of the Coronavirus pandemic. The campaign distributing this spyware is tracked as Project Spy. Multiple variants of this spyware have been discovered to have been hosted on the Google Play Store.[1]

Android
Malware Mobile

S1062: S.O.V.A.

S.O.V.A. is an Android banking trojan that was first identified in August 2021 and has subsequently been found in a variety of applications, including banking, cryptocurrency wallet/exchange, and shopping apps. S.O.V.A., which is Russian for "owl", contains features not commonly found in Android malware, such as session cookie theft.[1][2]

Android
Malware Mobile

S9006: VajraSpy

VajraSpy is Android malware distributed via trojanized messaging and news applications. It has been used to target individuals in Pakistan and India since at least 2021 and has been delivered through the Google Play Store, malicious domains, and other uncontrolled distribution channels. VajraSpy is attributed with high confidence to Patchwork which has used the malware to conduct targeted espionage, primarily against devices in Pakistan.[1][2][3]

Android
Malware Mobile

S1067: FluBot

FluBot is a multi-purpose mobile banking malware that was first observed in Spain in late 2020. It primarily spread through European countries using a variety of SMS phishing messages in multiple languages.[1][2] An international law enforcement operation of 11 countries eventually disrupted the spread of FluBot.[3]

Android
Relationship explorer

All related ATT&CK context

uses · Malware S1061: AbstractEmu Mobile uses · Malware S1195: SpyC23 Mobile uses · Campaign C0033: C0033 Mobile uses · Malware S0432: Bread Mobile uses · Malware S0485: Mandrake Mobile mitigates · Mitigation M1011: User Guidance Mobile detects · Detection Strategy DET0611: Detection of Access Notifications Mobile uses · Malware S1083: Chameleon Mobile uses · Malware S0425: Corona Updates Mobile mitigates · Mitigation M1013: Application Developer Guidance Mobile uses · Malware S1062: S.O.V.A. Mobile uses · Malware S1077: Hornbill Mobile uses · Malware S9006: VajraSpy Mobile uses · Malware S1092: Escobar Mobile uses · Malware S0489: WolfRAT Mobile uses · Malware S1067: FluBot Mobile uses · Malware S1103: FlixOnline Mobile mitigates · Mitigation M1012: Enterprise Policy Mobile uses · Malware S1055: SharkBot Mobile
Mitigations

Mitigation direction

Mitigation Mobile

M1011: User Guidance

Describes any guidance or training given to users to set particular configuration settings or avoid specific potentially risky behaviors.

Mitigation Mobile

M1013: Application Developer Guidance

Application Developer Guidance focuses on providing developers with the knowledge, tools, and best practices needed to write secure code, reduce vulnerabilities, and implement secure design principles. By integrating security throughout the software development lifecycle (SDLC), this mitigation aims to prevent the introduction of exploitable weaknesses in applications, systems, and APIs. This mitigation can be implemented through the following measures: Preventing SQL Injection (Secure Coding Practice):

- Implementation: Train developers to use parameterized queries or prepared statements instead of directly embedding user input into SQL queries. - Use Case: A web application accepts user input to search a database. By sanitizing and validating user inputs, developers can prevent attackers from injecting malicious SQL commands.

Cross-Site Scripting (XSS) Mitigation:

- Implementation: Require developers to implement output encoding for all user-generated content displayed on a web page. - Use Case: An e-commerce site allows users to leave product reviews. Properly encoding and escaping user inputs prevents malicious scripts from being executed in other users’ browsers.

Secure API Design:

- Implementation: Train developers to authenticate all API endpoints and avoid exposing sensitive information in API responses. - Use Case: A mobile banking application uses APIs for account management. By enforcing token-based authentication for every API call, developers reduce the risk of unauthorized access.

Static Code Analysis in the Build Pipeline:

- Implementation: Incorporate tools into CI/CD pipelines to automatically scan for vulnerabilities during the build process. - Use Case: A fintech company integrates static analysis tools to detect hardcoded credentials in their source code before deployment.

Threat Modeling in the Design Phase:

- Implementation: Use frameworks like STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege) to assess threats during application design. - Use Case: Before launching a customer portal, a SaaS company identifies potential abuse cases, such as session hijacking, and designs mitigations like secure session management.

**Tools for Implementation**:

- Static Code Analysis Tools: Use tools that can scan for known vulnerabilities in source code. - Dynamic Application Security Testing (DAST): Use tools like Burp Suite or OWASP ZAP to simulate runtime attacks and identify vulnerabilities. - Secure Frameworks: Recommend secure-by-default frameworks (e.g., Django for Python, Spring Security for Java) that enforce security best practices.

Mitigation Mobile

M1012: Enterprise Policy

An enterprise mobility management (EMM), also known as mobile device management (MDM), system can be used to provision policies to mobile devices to control aspects of their allowed behavior.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.2
Created
Modified
Raw hash
008950d8482a7bdb...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.2 Current bundle 008950d8482a…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    ESET 2FA Bypass

    Lukáš Štefanko. (2019, June 17). Malware sidesteps Google permissions policy with new 2FA bypass technique. Retrieved September 15, 2019.

    Open source URL
  2. [2]
    mitre-attack T1517
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use