Skip to content

T1508 Suppress Application Icon

A malicious application could suppress its icon from being displayed to the user in the application launcher to hide the fact that it is installed, and to make it more difficult for the user to uninstall the application. Hiding the application’s icon programmatically does not require any special permissions.

This behavior has been seen in the BankBot/Spy Banker family of malware.123

Item Value
ID T1508
Sub-techniques
Tactics TA0030
Platforms Android
Version 1.1
Created 11 July 2019
Last Modified 14 November 2019

Procedure Examples

ID Name Description
S0440 Agent Smith Agent Smith can hide its icon from the application launcher.11
S0525 Android/AdDisplay.Ashas Android/AdDisplay.Ashas can hide its icon and create a shortcut based on the C2 server response.17
S0655 BusyGasper BusyGasper can hide its icon.20
S0480 Cerberus Cerberus hides its icon from the application drawer after being launched for the first time.12
S0505 Desert Scorpion Desert Scorpion can hide its icon.14
S0550 DoubleAgent DoubleAgent has hidden its app icon.18
S0509 FakeSpy FakeSpy can hide its icon if it detects that it is being run on an emulator.16
S0408 FlexiSpy FlexiSpy is capable of hiding SuperSU’s icon if it is installed and visible.4 FlexiSpy can also hide its own icon to make detection and the uninstallation process more difficult.5
S0423 Ginp Ginp hides its icon after installation.10
S0406 Gustuff Gustuff hides its icon after installation.7
S0485 Mandrake Mandrake can hide its icon on older Android versions.13
S0411 Rotexy Rotexy hides its icon after first launch.6
S0419 SimBad SimBad hides its icon from the application launcher.8
S0558 Tiktok Pro Tiktok Pro can hide its icon after launch.19
S0302 Twitoor Twitoor can hide its presence on the system.15
S0418 ViceLeaker ViceLeaker includes code to hide its icon, but the function does not appear to be called in an analyzed version of the software.9

References

  1. Lukáš Štefanko. (2018, December 11). Android Trojan steals money from PayPal accounts even with 2FA on. Retrieved July 11, 2019. 

  2. Lukáš Štefanko. (2017, February 22). Sunny with a chance of stolen credentials: Malicious weather app found on Google Play. Retrieved July 11, 2019. 

  3. NJCCIC. (2017, March 2). BankBot/Spy Banker. Retrieved July 11, 2019. 

  4. K. Lu. (n.d.). Deep Technical Analysis of the Spyware FlexiSpy for Android. Retrieved September 10, 2019. 

  5. FlexiSpy. (n.d.). FlexiSpy Monitoring Features. Retrieved September 4, 2019. 

  6. T. Shishkova, L. Pikman. (2018, November 22). The Rotexy mobile Trojan – banker and ransomware. Retrieved September 23, 2019. 

  7. Group-IB. (2019, March 28). Group-IB uncovers Android Trojan named «Gustuff» capable of targeting more than 100 global banking apps, cryptocurrency and marketplace applications. Retrieved September 3, 2019. 

  8. Elena Root, Andrey Polkovnichenko. (2019, March 13). SimBad: A Rogue Adware Campaign On Google Play. Retrieved November 21, 2019. 

  9. L. Arsene, C. Ochinca. (2018, August 20). Triout – Spyware Framework for Android with Extensive Surveillance Capabilities. Retrieved January 21, 2020. 

  10. ThreatFabric. (2019, November). Ginp - A malware patchwork borrowing from Anubis. Retrieved April 8, 2020. 

  11. A. Hazum, F. He, I. Marom, B. Melnykov, A. Polkovnichenko. (2019, July 10). Agent Smith: A New Species of Mobile Malware. Retrieved May 7, 2020. 

  12. Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020. 

  13. R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020. 

  14. A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020. 

  15. ESET. (2016, August 24). First Twitter-controlled Android botnet discovered. Retrieved December 22, 2016. 

  16. O. Almkias. (2020, July 1). FakeSpy Masquerades as Postal Service Apps Around the World. Retrieved September 15, 2020. 

  17. L. Stefanko. (2019, October 24). Tracking down the developer of Android adware affecting millions of users. Retrieved October 29, 2020. 

  18. A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020. 

  19. S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021. 

  20. Alexey Firsh. (2018, August 29). BusyGasper – the unfriendly spy. Retrieved October 1, 2021. 

Back to top