Skip to content

T1476 Deliver Malicious App via Other Means

Malicious applications are a common attack vector used by adversaries to gain a presence on mobile devices. This technique describes installing a malicious application on targeted mobile devices without involving an authorized app store (e.g., Google Play Store or Apple App Store). Adversaries may wish to avoid placing malicious applications in an authorized app store due to increased potential risk of detection or other reasons. However, mobile devices often are configured to allow application installation only from an authorized app store which would prevent this technique from working.

Delivery methods for the malicious application include:

  • Spearphishing Attachment - Including the mobile app package as an attachment to an email message.
  • Spearphishing Link - Including a link to the mobile app package within an email, text message (e.g. SMS, iMessage, Hangouts, WhatsApp, etc.), web site, QR code, or other means.
  • Third-Party App Store - Installed from a third-party app store (as opposed to an authorized app store that the device implicitly trusts as part of its default behavior), which may not apply the same level of scrutiny to apps as applied by an authorized app store.123

Some Android malware comes with functionality to install additional applications, either automatically or when the adversary instructs it to.4

Item Value
ID T1476
Tactics TA0027
Platforms Android, iOS
Version 1.2
Created 17 October 2018
Last Modified 09 February 2021

Procedure Examples

ID Name Description
S0440 Agent Smith Agent Smith has been distributed through the 9apps app store.20
S0304 Android/Chuli.A Android/Chuli.A was delivered via a spearphishing message containing a malicious Android application as an attachment.6
S0524 AndroidOS/MalLocker.B AndroidOS/MalLocker.B has been spread using direct download links. 29
S0422 Anubis Anubis was distributed via phishing link in an email.19
S0540 Asacub Asacub has been spread via phishing SMS messages that contain a link to a website that hosts the malicious APK file.31
G0097 Bouncing Golf Bouncing Golf delivered GolfSpy via a hosted application binary advertised on social media.18
S0432 Bread Bread can install additional applications.23
S0480 Cerberus Cerberus has been delivered to the device via websites that prompt the user to “[…] install Adobe Flash Player” and then downloads the malicious APK to the device.21
G0070 Dark Caracal Dark Caracal distributes Pallas via trojanized applications hosted on watering hole websites.12
S0507 eSurv eSurv has been distributed via phishing websites with geo-restrictions that allow access to only Italian and Turkmenistani mobile carriers. eSurv can install applications via malicious iOS provisioning profiles containing the developer’s certificate.26
S0522 Exobot Exobot has been spread using direct download links.28
S0509 FakeSpy FakeSpy is spread via direct download links in SMS phishing messages.27
S0421 GolfSpy GolfSpy can install attacker-specified applications.18
S0406 Gustuff Gustuff was distributed via SMS phishing messages to numbers exfiltrated from compromised devices’ contact lists. The phishing SMS messages are sent from the compromised device to the target device.14
S0544 HenBox HenBox has been distributed via third-party app stores.32
S0317 Marcher Marcher is delivered via a link sent by SMS or email, including instructions advising the user to modify their Android device security settings to enable apps to be installed from “Unknown Sources.”7
S0303 MazarBOT MazarBOT is delivered via an unsolicited text message containing a link to a web download URI.9
S0399 Pallas Pallas has the ability to download and install attacker-specified applications.12
S0539 Red Alert 2.0 Red Alert 2.0 has been distributed via webpages designed to look like the Play Store.30
S0326 RedDrop RedDrop uses ads or other links within websites to encourage users to download the malicious apps using a complex content distribution network (CDN) and series of network redirects. RedDrop also downloads additional components (APKs, JAR files) from different C2 servers.10
S0403 Riltok Riltok is distributed via phishing SMS messages from infected devices.13
S0411 Rotexy Rotexy is distributed through phishing links sent in SMS messages as AvitoPay.apk.15
S0313 RuMMS RuMMS is delivered via an SMS message containing a link to an APK (Android application package).5
S0419 SimBad SimBad can install attacker-specified applications.17
S0558 Tiktok Pro Tiktok Pro has been distributed via direct download on 3rd party websites, with the link sent in phishing SMS messsages.33
S0302 Twitoor Twitoor can install attacker-specified applications.25
S0418 ViceLeaker ViceLeaker was primarily distributed via Telegram and WhatsApp messages.16
S0506 ViperRAT ViperRAT has been distributed through 3rd party websites.24
G0112 Windshift Windshift has distributed malicious apps via their own websites during Operation BULL.34
S0318 XLoader for Android XLoader for Android has been distributed via phishing websites.22
S0490 XLoader for iOS XLoader for Android has been distributed via phishing SMS messages, which link to a malicious website hosting a device profile.22
S0311 YiSpecter YiSpecter‘s malicious apps were signed with iOS enterprise certificates issued by Apple to allow the apps to be installed as enterprise apps on non-jailbroken iOS devices.11
S0287 ZergHelper ZergHelper abuses enterprises certificate and personal certificates to sign and distribute apps.8


ID Mitigation Description
M1012 Enterprise Policy On iOS, the allowEnterpriseAppTrust and allowEnterpriseAppTrustModification configuration profile restrictions can be used to prevent users from installing apps signed using enterprise distribution keys.
M1011 User Guidance iOS 9 and above requires explicit user consent before allowing installation of applications signed with enterprise distribution keys rather than installed from Apple’s App Store. Users should be encouraged to not agree to installation of applications signed with enterprise distribution keys unless absolutely certain of the source of the application. On Android, the “Unknown Sources” setting must be enabled for users to install apps from sources other than an authorized app store (such as the Google Play Store), so users should be encouraged not to enable that setting.


  1. A Prasad. (2016, February 19). Danger lurks in third-party Android app stores. Retrieved November 8, 2018. 

  2. Jordan Pan. (2016, February 10). User Beware: Rooting Malware Found in 3rd Party App Stores. Retrieved November 8, 2018. 

  3. Veo Zhang. (2014, February 18). Flappy Bird and Third-Party App Stores. Retrieved November 8, 2018. 

  4. Lukáš Štefanko. (2018, December 11). Android Trojan steals money from PayPal accounts even with 2FA on. Retrieved July 11, 2019. 

  5. Wu Zhou, Deyu Hu, Jimmy Su, Yong Kang. (2016, April 26). RUMMS: THE LATEST FAMILY OF ANDROID MALWARE ATTACKING USERS IN RUSSIA VIA SMS PHISHING. Retrieved February 6, 2017. 

  6. Costin Raiu, Denis Maslennikov, Kurt Baumgartner. (2013, March 26). Android Trojan Found in Targeted Attack. Retrieved December 23, 2016. 

  7. Proofpoint. (2017, November 3). Credential phishing and an Android banking Trojan combine in Austrian mobile attacks. Retrieved July 6, 2018. 

  8. Claud Xiao. (2016, February 21). Pirated iOS App Store’s Client Successfully Evaded Apple iOS Code Review. Retrieved December 12, 2016. 

  9. Graham Cluley. (2016, February 16). Android users warned of malware attack spreading via SMS. Retrieved December 23, 2016. 

  10. Nell Campbell. (2018, February 27). RedDrop: the blackmailing mobile malware family lurking in app stores. Retrieved September 18, 2018. 

  11. Claud Xiao. (2015, October 4). YiSpecter: First iOS Malware That Attacks Non-jailbroken Apple iOS Devices by Abusing Private APIs. Retrieved January 20, 2017. 

  12. Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018. 

  13. Tatyana Shishkova. (2019, June 25). Riltok mobile Trojan: A banker with global reach. Retrieved August 7, 2019. 

  14. Vitor Ventura. (2019, April 9). Gustuff banking botnet targets Australia . Retrieved September 3, 2019. 

  15. T. Shishkova, L. Pikman. (2018, November 22). The Rotexy mobile Trojan – banker and ransomware. Retrieved September 23, 2019. 

  16. GReAT. (2019, June 26). ViceLeaker Operation: mobile espionage targeting Middle East. Retrieved November 21, 2019. 

  17. Elena Root, Andrey Polkovnichenko. (2019, March 13). SimBad: A Rogue Adware Campaign On Google Play. Retrieved November 21, 2019. 

  18. E. Xu, G. Guo. (2019, June 28). Mobile Cyberespionage Campaign ‘Bouncing Golf’ Affects Middle East. Retrieved January 27, 2020. 

  19. M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved April 8, 2020. 

  20. A. Hazum, F. He, I. Marom, B. Melnykov, A. Polkovnichenko. (2019, July 10). Agent Smith: A New Species of Mobile Malware. Retrieved May 7, 2020. 

  21. Z. Doffman. (2019, August 16). Warning As Devious New Android Malware Hides In Fake Adobe Flash Player Installations (Updated). Retrieved June 26, 2020. 

  22. Hiroaki, H., Wu, L., Wu, L.. (2019, April 2). XLoader Disguises as Android Apps, Has FakeSpy Links. Retrieved July 20, 2020. 

  23. Hazum, A., Melnykov, B., Wernik, I.. (2020, July 9). New Joker variant hits Google Play with an old trick. Retrieved July 20, 2020. 

  24. M. Flossman. (2017, February 16). ViperRAT: The mobile APT targeting the Israeli Defense Force that should be on your radar. Retrieved September 11, 2020. 

  25. ESET. (2016, August 24). First Twitter-controlled Android botnet discovered. Retrieved December 22, 2016. 

  26. A. Bauer. (2019, April 8). Lookout discovers phishing sites distributing new iOS and Android surveillanceware. Retrieved September 11, 2020. 

  27. O. Almkias. (2020, July 1). FakeSpy Masquerades as Postal Service Apps Around the World. Retrieved September 15, 2020. 

  28. Threat Fabric. (2017, February). Exobot - Android banking Trojan on the rise. Retrieved October 29, 2020. 

  29. D. Venkatesan. (2020, October 8). Sophisticated new Android malware marks the latest evolution of mobile ransomware . Retrieved October 29, 2020. 

  30. J. Chandraiah. (2018, July 23). Red Alert 2.0: Android Trojan targets security-seekers. Retrieved December 14, 2020. 

  31. T. Shishkova. (2018, August 28). The rise of mobile banker Asacub. Retrieved December 14, 2020. 

  32. A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019. 

  33. S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021. 

  34. The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021. 

Back to top