屏幕截图

攻击者可以使用屏幕截图来收集有关在前台运行的应用程序的信息，捕获用户数据，凭据或其他敏感信息。在后台运行的应用程序可以使用Android捕获在前台运行的另一个应用程序的屏幕快照或视频MediaProjectionManager（通常需要设备用户授予同意）。后台应用程序还可以使用Android可访问性服务来捕获前台应用程序正在显示的屏幕内容。具有root访问权限或Android Debug Bridge（adb）访问权限的对手可以调用Android screencap或screenrecord命令。

Adversaries may use screen captures to collect information about applications running in the foreground, capture user data, credentials, or other sensitive information. Applications running in the background can capture screenshots or videos of another application running in the foreground by using the Android MediaProjectionManager (generally requires the device user to grant consent).Background applications can also use Android accessibility services to capture screen contents being displayed by a foreground application.An adversary with root access or Android Debug Bridge (adb) access could call the Android screencap or screenrecord commands.

标签

ID编号： T1513

战术类型： 事后访问设备

策略： 收集

平台： Android

MTC ID： APP-40

程序示例

名称	描述
Exodus(S0405)	Exodus(S0405)可以拍摄前台任何应用程序的屏幕截图。
FlexiSpy(S0408)	FlexiSpy(S0408)可以截取其他应用程序的屏幕截图。
[Monokle(S0407)	用户解锁设备时，Monokle(S0407)可以记录屏幕，并且可以在前台拍摄任何应用程序的屏幕截图。Monokle(S0407)还可以滥用辅助功能，以读取屏幕来捕获来自大量流行应用程序的数据。
SpyDealer(S0324)	SpyDealer(S0324)滥用辅助功能来窃取诸如微信，Skype，Viber和QQ等流行应用程序的消息。

Name	Description
Exodus(S0405)	Exodus Two can take screenshots of any application in the foreground.
FlexiSpy(S0408)	FlexiSpy(S0408) can take screenshots of other applications.
Monokle(S0407)	Monokle(S0407) can record the screen as the user unlocks the device and can take screenshots of any application in the foreground. Monokle(S0407) can also abuse accessibility features to read the screen to capture data from a large number of popular applications.
SpyDealer(S0324)	SpyDealer(S0324) abuses Accessibility features to steal messages from popular apps such as WeChat, Skype, Viber, and QQ.

缓解措施

缓解	描述
应用程序开发人员指南(M1013)	应用程序开发人员可以FLAG_SECURE在其应用程序内将其应用于敏感屏幕，从而使捕获屏幕内容变得更加困难。
应用审查(M1005)	可以对应用程序对Android MediaProjectionManager类的使用进行审核，并仔细检查使用该类的任何应用程序。
企业政策(M1012)	企业策略应阻止用户除非特别需要（例如，如果设备用于应用程序开发），否则禁止用户在Android设备上启用USB调试，从而阻止对Android调试桥（ADB）的访问。EMM / MDM可以使用Android DevicePolicyManager.setPermittedAccessibliityServices方法将允许使用Android的辅助功能的应用程序列入白名单。
用户指南(M1011)	除非预期，否则应建议用户不要同意进行屏幕截图。除非明确要求，否则用户应避免启用USB调试（Android调试桥）。

Mitigation	Description
Application Developer Guidance(M1013)	Application developers can apply FLAG_SECURE to sensitive screens within their apps to make it more difficult for the screen contents to be captured.
Application Vetting(M1005)	Applications can be vetted for their use of the Android MediaProjectionManager class, with extra scrutiny applied to any application that uses the class.
Enterprise Policy(M1012)	Enterprise policies should block access to the Android Debug Bridge (ADB) by preventing users from enabling USB debugging on Android devices unless specifically needed (e.g., if the device is used for application development). An EMM/MDM can use the Android DevicePolicyManager.setPermittedAccessibliityServices method to whitelist applications that are allowed to use Android's accessibility features.
User Guidance(M1011)	Users should be advised not to grant consent for screen captures to occur unless expected. Users should avoid enabling USB debugging (Android Debug Bridge) unless explicitly required.

检测

用户可以在设备设置中查看具有无障碍服务特权的应用程序列表。

The user can view a list of apps with accessibility service privileges in the device settings.