CAPEC-501: Android Activity Hijack
Description
Extended Description
Most of them use only one security question. For instance, mother's maiden name tends to be a fairly popular one. Unfortunately in many cases this information is not very hard to find, especially if the attacker knows the legitimate user. These generic security questions are also re-used across many applications, thus making them even more insecure. An attacker could for instance overhear a coworker talking to a bank representative at the work place and supplying their mother's maiden name for verification purposes. An attacker can then try to log in into one of the victim's accounts, click on "forgot password" and there is a good chance that the security question there will be to provide mother's maiden name. A weak password recovery scheme totally undermines the effectiveness of a strong password scheme.
Severity :
Medium
Possibility :
Type :
Detailed
Relationships with other CAPECs
This table shows the other attack patterns and high level categories that are related to this attack pattern.
Prerequisites
This table shows the other attack patterns and high level categories that are related to this attack pattern.
- The adversary must have previously installed the malicious application onto the Android device that will run in place of the trusted activity.
Skills required
This table shows the other attack patterns and high level categories that are related to this attack pattern.
- High The adversary must typically overcome network and host defenses in order to place malware on the system.
Taxonomy mappings
Mappings to ATT&CK, OWASP and other frameworks.
Resources required
Malware capable of acting on the adversary's objectives.
Related CWE
A Related Weakness relationship associates a weakness with this attack pattern. Each association implies a weakness that must exist for a given attack to be successful.
Visit http://capec.mitre.org/ for more details.