{ "id": "5a57d4f8-8c6b-4106-b485-0efe81648dc4", "created_at": "2026-04-06T00:07:23.117132Z", "updated_at": "2026-04-10T03:30:33.479548Z", "deleted_at": null, "sha1_hash": "ebe498228db10107acf1558aff404bc3948d99f6", "title": "APP-40 · Mobile Threat Catalogue", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 34156, "plain_text": "APP-40 · Mobile Threat Catalogue\r\nArchived: 2026-04-05 20:21:09 UTC\r\nMobile Threat Catalogue\r\nCapturing Raw Screen Buffer\r\nContribute\r\nThreat Category: Malicious or privacy-invasive application\r\nID: APP-40\r\nThreat Description: A malicious application that has elevated to root privileges may be able to capture the\r\ncontents of the screen buffer, in essence taking a screenshot of any foreground activity. This would allow an\r\nattacker to steal authentication credentals or gain unauthorized access to any other sensitive information displayed\r\nin the foreground. Note that this capture would not be handled like a user-initiated screenshot, and would not\r\nautomatically be stored in default locations read by camera or photo browser apps (e.g. Google Photos).\r\nThreat Origin\r\nAn investigation of Chrysaor Malware on Android 1\r\nExploit Examples\r\nAn investigation of Chrysaor Malware on Android 1\r\nCVE Examples\r\nPossible Countermeasures\r\nMobile Device User\r\nTo limit the opportunity for an attacker to realize this threat following a security patch for a priviledge escalation\r\nvulnerability, ensure timely installation of mobile OS security updates.\r\nTo reduce the probability of installing a malicious application, obtain public apps from an official app store (e.g.,\r\nGoogle Play, iTunes Store).\r\nOn Adroid, to prevent an attacker from remotely installing 3rd party malicious apps, ensure Security \u003e Unknown\r\nSources is turned off.\r\nTo detect malicious applications, use on-device agents that automatically perform signature- and/or behavior-based malware detection.\r\nhttps://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-40.html\r\nPage 1 of 2\n\nEnterprise\r\nTo limit the opportunity for an attacker to realize this threat following a security patch for a priviledge escalation\r\nvulnerability, ensure timely installation of mobile OS security updates.\r\nTo prevent users of managed Android devices from installing applications from unknown sources, deploy EMM\r\nsolutions that effectively disable the Unknown Sources feature.\r\nTo detect malicious applications, use on-device agents that automatically perform signature- and/or behavior-based malware detection.\r\nTo prevent granting access to compromised devices, use tools or device APIs (Android SafetyNet, Samsung Knox\r\nhardware-backed remote attestation, or other applicable remote attestation technologies) to detect and block\r\nenterprise connectivity from devices that fail attestation or integrity checks.\r\nReferences\r\nSource: https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-40.html\r\nhttps://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-40.html\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-40.html" ], "report_names": [ "APP-40.html" ], "threat_actors": [ { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434043, "ts_updated_at": 1775791833, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ebe498228db10107acf1558aff404bc3948d99f6.pdf", "text": "https://archive.orkl.eu/ebe498228db10107acf1558aff404bc3948d99f6.txt", "img": "https://archive.orkl.eu/ebe498228db10107acf1558aff404bc3948d99f6.jpg" } }