Skip to content

T1475 Deliver Malicious App via Authorized App Store

Malicious applications are a common attack vector used by adversaries to gain a presence on mobile devices. Mobile devices often are configured to allow application installation only from an authorized app store (e.g., Google Play Store or Apple App Store). An adversary may seek to place a malicious application in an authorized app store, enabling the application to be installed onto targeted devices.

App stores typically require developer registration and use vetting techniques to identify malicious applications. Adversaries may use these techniques against app store defenses:

Adversaries may also seek to evade vetting by placing code in a malicious application to detect whether it is running in an app analysis environment and, if so, avoid performing malicious actions while under analysis. 1 2 3 4

Adversaries may also use fake identities, payment cards, etc., to create developer accounts to publish malicious applications to app stores. 2

Adversaries may also use control of a target’s Google account to use the Google Play Store’s remote installation capability to install apps onto the Android devices associated with the Google account. 5 6 (Only applications that are available for download through the Google Play Store can be remotely installed using this technique.)

Item Value
ID T1475
Sub-techniques
Tactics TA0027
Platforms Android, iOS
Version 1.1
Created 17 October 2018
Last Modified 14 October 2019

Procedure Examples

ID Name Description
S0525 Android/AdDisplay.Ashas Android/AdDisplay.Ashas has been identified in 42 apps in the Google Play Store.21
S0422 Anubis Anubis has been delivered via the Google Play Store.24
S0432 Bread Bread has been distributed through the Play Store. Some versions started off as clean to build a userbase and developer reputation. These versions were then updated to introduce malicious code.14
S0555 CHEMISTGAMES CHEMISTGAMES has been distributed via the Google Play Store.23
S0426 Concipit1248 Concipit1248 has been distributed through the App Store.13
S0425 Corona Updates Corona Updates has been distributed through the Play Store.13
S0479 DEFENSOR ID DEFENSOR ID was delivered via the Google Play Store.15
S0301 Dendroid Dendroid has been distributed via the Google Play Store.20
S0505 Desert Scorpion Desert Scorpion has been distributed via the Google Play Store.18
S0420 Dvmap Dvmap was delivered via the Google Play Store. It evaded Google Play Store checks by uploading a clean application, and replacing it with a malicious version for a short period of time. This occurred at least 5 times in a one month period.11
S0507 eSurv eSurv’s Android version was available in the Google Play Store.19
S0405 Exodus Exodus One has been distributed via the Play Store.10
S0535 Golden Cup Golden Cup has been distributed via the Google Play Store.22
S0485 Mandrake Mandrake has had the first stage (dropper) distributed via the Google Play Store.16
S0316 Pegasus for Android Pegasus for Android attempts to detect whether it is running in an emulator rather than a real device.8
S0419 SimBad SimBad was distributed via the Google Play Store.12
S0424 Triada Early Triada variants were delivered through trojanized apps that were distributed via the Play Store.9
G0112 Windshift Windshift has distributed malicious apps via the Google Play Store and Apple App Store.25
S0494 Zen Zen has been distributed via the Google Play Store.17
S0287 ZergHelper ZergHelper apparently evaded Apple’s app review process by performing different behaviors for users from different physical locations (e.g. performing differently for users in China versus outside of China), which could have bypassed the review process depending on the country from which it was performed.7

Mitigations

ID Mitigation Description
M1005 Application Vetting App store operators and enterprises could assess reputational characteristics of the app, including the popularity of the app or other apps from the same developer and whether or not security issues have been found in other apps from the same developer.
M1011 User Guidance Encourage developers to protect their account credentials and enable multi-factor authentication if available. Encourage developers to protect their signing keys.

References


  1. Thanasis Petsas, Giannis Voyatzis, Elias Athanasopoulos, Michalis Polychronakis, Sotiris Ioannidis. (2014, April). Rage Against the Virtual Machine: Hindering Dynamic Analysis of Android Malware. Retrieved December 12, 2016. 

  2. Jon Oberheide and Charlie Miller. (2012). Dissecting the Android Bouncer. Retrieved December 12, 2016. 

  3. Nicholas J. Percoco and Sean Schulte. (2012). Adventures in BouncerLand. Retrieved December 12, 2016. 

  4. Tielei Wang, Kangjie Lu, Long Lu, Simon Chung, and Wenke Lee. (2013, August). Jekyll on iOS: When Benign Apps Become Evil. Retrieved December 9, 2016. 

  5. Jon Oberheide. (2010, June 25). Remote Kill and Install on Google Android. Retrieved December 12, 2016. 

  6. Radhesh Krishnan Konoth, Victor van der Veen, and Herbert Bos. (n.d.). How Anywhere Computing Just Killed Your Phone-Based Two-Factor Authentication. Retrieved December 12, 2016. 

  7. Claud Xiao. (2016, February 21). Pirated iOS App Store’s Client Successfully Evaded Apple iOS Code Review. Retrieved December 12, 2016. 

  8. Mike Murray. (2017, April 3). Pegasus for Android: the other side of the story emerges. Retrieved April 16, 2017. 

  9. Snow, J. (2016, March 3). Triada: organized crime on Android. Retrieved July 16, 2019. 

  10. Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019. 

  11. R. Unuchek. (2017, June 8). Dvmap: the first Android malware with code injection. Retrieved December 10, 2019. 

  12. Elena Root, Andrey Polkovnichenko. (2019, March 13). SimBad: A Rogue Adware Campaign On Google Play. Retrieved November 21, 2019. 

  13. T. Bao, J. Lu. (2020, April 14). Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020. 

  14. A. Guertin, V. Kotov, Android Security & Privacy Team. (2020, January 9). PHA Family Highlights: Bread (and Friends) . Retrieved April 27, 2020. 

  15. L. Stefanko. (2020, May 22). Insidious Android malware gives up all malicious features but one to gain stealth. Retrieved June 26, 2020. 

  16. R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020. 

  17. Siewierski, L. (2019, January 11). PHA Family Highlights: Zen and its cousins . Retrieved July 27, 2020. 

  18. A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020. 

  19. A. Bauer. (2019, April 8). Lookout discovers phishing sites distributing new iOS and Android surveillanceware. Retrieved September 11, 2020. 

  20. Marc Rogers. (2014, March 6). Dendroid malware can take over your camera, record audio, and sneak into Google Play. Retrieved December 22, 2016. 

  21. L. Stefanko. (2019, October 24). Tracking down the developer of Android adware affecting millions of users. Retrieved October 29, 2020. 

  22. R. Iarchy, E. Rynkowski. (2018, July 5). GoldenCup: New Cyber Threat Targeting World Cup Fans. Retrieved October 29, 2020. 

  23. B. Leonard, N. Mehta. (2019, November 21). The Secret Life of Sandworms. Retrieved December 31, 2020. 

  24. K. Sun. (2019, January 17). Google Play Apps Drop Anubis, Use Motion-based Evasion. Retrieved January 20, 2021. 

  25. The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021. 

Back to top