{ "id": "fc60128b-6f2e-4cc2-a84c-cda21b71716e", "created_at": "2026-04-06T00:22:20.21976Z", "updated_at": "2026-04-10T03:30:33.54416Z", "deleted_at": null, "sha1_hash": "a76972ab6283b106bb6b6139b25c2f79e12be8aa", "title": "AUT-13 · Mobile Threat Catalogue", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 33432, "plain_text": "AUT-13 · Mobile Threat Catalogue\r\nArchived: 2026-04-05 17:49:43 UTC\r\nMobile Threat Catalogue\r\nCredential Theft via Keylogging\r\nContribute\r\nThreat Category: Mobile Operating System\r\nID: AUT-13\r\nThreat Description: A malicious application that is able to intercept screen tap events while other applications are\r\nin the foreground can act as a keylogger, thereby collecting authentication credentials (as well as any other\r\nsensitive information, such as PII, entered using the displayed keyboard).\r\nThreat Origin\r\nAn investigation of Chrysaor Malware on Android 1\r\nExploit Examples\r\nAn investigation of Chrysaor Malware on Android 1\r\nCVE Examples\r\nPossible Countermeasures\r\nMobile Device User\r\nTo reduce the potential of downloading a malicious app, such as a keylogger, only install (or permit the\r\ninstallation of) mobile apps downloaded directly from an official app store (e.g. Apple iTunes Store, Google Play).\r\nTo help reduce the opportunity for attack following availability of patches, insure timely installation of mobile OS\r\nsecurity updates.\r\nTo detect malicious applications, deploy on-device agents that automatically initiate malware detection for all\r\ninstalled applications.\r\nTo decrease the value of captured credentials, enable 2-factor authentication for sensitive services (e.g., online\r\nbanking) where the second factor is not tied to the same device.\r\nEnterprise\r\nhttps://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-13.html\r\nPage 1 of 2\n\nTo reduce the potential of downloading a malicious app, such as a keylogger, only install (or permit the\r\ninstallation of) mobile apps downloaded directly from an official app store (e.g. Apple iTunes Store, Google Play).\r\nTo help reduce the opportunity for attack following availability of patches, insure timely installation of mobile OS\r\nsecurity updates.\r\nTo detect malicious applications, deploy on-device agents that automatically initiate malware detection for all\r\ninstalled applications.\r\nUse tools or device APIs (Android SafetyNet, Samsung Knox hardware-backed remote attestation, or other\r\napplicable remote attestation technologies) to detect and block enterprise connectivity from devices until they pass\r\nsuch integrity checks.\r\nReferences\r\nSource: https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-13.html\r\nhttps://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-13.html\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-13.html" ], "report_names": [ "AUT-13.html" ], "threat_actors": [ { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434940, "ts_updated_at": 1775791833, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a76972ab6283b106bb6b6139b25c2f79e12be8aa.pdf", "text": "https://archive.orkl.eu/a76972ab6283b106bb6b6139b25c2f79e12be8aa.txt", "img": "https://archive.orkl.eu/a76972ab6283b106bb6b6139b25c2f79e12be8aa.jpg" } }