Skip to content

T1418.001 Security Software Discovery

Adversaries may attempt to get a listing of security applications and configurations that are installed on a device. This may include things such as mobile security products. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not to fully infect the target and/or attempt specific actions.

Item Value
ID T1418.001
Sub-techniques T1418.001
Tactics TA0032
Platforms Android, iOS
Version 1.1
Created 31 March 2022
Last Modified 20 March 2023

Procedure Examples

ID Name Description
S0522 Exobot Exobot can obtain a list of installed applications and can detect if an antivirus application is running, and close it if it is.3
S0406 Gustuff Gustuff checks for antivirus software contained in a predefined list.2

Mitigations

ID Mitigation Description
M1006 Use Recent OS Version Android 11 introduced privacy enhancements to package visibility, filtering results that are returned from the package manager. iOS 12 removed the private API that could previously be used to list installed applications on non-app store applications.1
M1011 User Guidance iOS users should be instructed to not download applications from unofficial sources, as applications distributed via the Apple App Store cannot list installed applications on a device.

Detection

ID Data Source Data Component
DS0041 Application Vetting API Calls

References

  1. Google. (n.d.). Package visibility filtering on Android. Retrieved April 11, 2022. 

  2. Vitor Ventura. (2019, April 9). Gustuff banking botnet targets Australia . Retrieved September 3, 2019. 

  3. Threat Fabric. (2017, February). Exobot - Android banking Trojan on the rise. Retrieved October 29, 2020.