Exported ContentProvider → private data leak

§ Context

Assumed environment: a malicious app is installed alongside the target (via Play Store with overly-permissive permissions or a sideload). Target's manifest has android:exported='true' on a sensitive provider.

§ Steps

1. 01
   Exfil tokens / PIIExfiltration

   T1041— Exfiltration Over C2 Channel
2. 02
   Build / install rogue companion appInitial Access

   T1078— Valid Accounts
3. 03
   Query the provider URICredential Access

   T1552— Unsecured Credentials
4. 04
   Check readPermission / writePermission attrsDiscovery

   T1083— File and Directory Discovery
5. 05
   Spot exported ContentProviderCollection

   MOB-CONTENT-PROVIDER— Content Provider Data Leak
6. 06
   Reverse target APKReconnaissance

   MOB-APK-REVERSE— APK Reverse Engineering

§ References

• T1041Exfiltration Over C2 Channel
• T1078Valid Accounts
• T1552Unsecured Credentials
• T1083File and Directory Discovery

§ Frequently asked

What is the "Exported ContentProvider → private data leak" attack path?

App exports a ContentProvider for legitimate inter-app integration but forgets to enforce grantUri / signature permissions — a rogue installed app reads private auth tokens. It chains 6 steps drawn from real-world offensive-security techniques.

What starting position does this attack require?

The first step is Exfil tokens / PII (T1041) — a exfiltration primitive. Assumed environment: a malicious app is installed alongside the target (via Play Store with overly-permissive permissions or a sideload).

What is the final impact of this kill-chain?

The final step lands on Reverse target APK (MOB-APK-REVERSE), which falls under Reconnaissance. From here, an operator typically pivots into post-exploitation or maintains persistence.

How can defenders detect or prevent this attack?

Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

§ Related dossiers

• Shared techniques3

  Evil maid → sniff TPM unseal → decrypt BitLocker offline

  Brief physical access to a TPM-only BitLocker laptop. Plug a logic analyser onto the LPC / SPI bus; capture the FVEK as the TPM unseals it at boot. Take the disk home, decrypt offline.

• Shared techniques3

  BLE eavesdrop + replay → smart lock open

  Smart lock uses BLE Just-Works pairing + plaintext 'unlock' opcode. Sniff once with a nRF52 in monitor mode, replay later from a $10 device.

• Shared techniques3

  User foothold → keychain dump → cloud creds

  Standard user shell on macOS. Brute the login.keychain master via ChainBreaker / a keylogged password; dump all entries — Safari saved creds, AWS keys, Slack tokens, SSO cookies.

• Shared techniques2

  Vesting beneficiary replace → silently drain stream

  Bug in a custom vesting contract allows anyone to call setBeneficiary on existing schedules. Replace beneficiary with attacker address; legitimate token stream now flows to attacker until released funds are noticed.

• Shared techniques2

  Dev workstation → cloud backup keys → encrypted vault store (LastPass 2022)

  Attacker compromised a single LastPass DevOps engineer's home machine via outdated Plex Media Server, harvested AWS keys for the encrypted-vault backup bucket, exfiltrated production vault data.

• Shared techniques2

  Mass SMS phish → Okta-style portal → SaaS sprawl (0ktapus)

  Wide SMS phishing campaign targeting employees of ~130 organisations with a single phishlet that captures Okta credentials + push approval. Mass automated logins to Twilio, MailChimp, DoorDash et al.