T1628.001 Suppress Application Icon
A malicious application could suppress its icon from being displayed to the user in the application launcher. This hides the fact that it is installed, and can make it more difficult for the user to uninstall the application. Hiding the application’s icon programmatically does not require any special permissions.
This behavior has been seen in the BankBot/Spy Banker family of malware.435
Beginning in Android 10, changes were introduced to inhibit malicious applications’ ability to hide their icon. If an app is a system app, requests no permissions, or does not have a launcher activity, the application’s icon will be fully hidden. Further, if the device is fully managed or the application is in a work profile, the icon will be fully hidden. Otherwise, a synthesized activity is shown, which is a launcher icon that represents the app’s details page in the system settings. If the user clicks the synthesized activity in the launcher, they are taken to the application’s details page in the system settings.12
Item | Value |
---|---|
ID | T1628.001 |
Sub-techniques | T1628.001, T1628.002 |
Tactics | TA0030 |
Platforms | Android |
Version | 1.1 |
Created | 30 March 2022 |
Last Modified | 20 March 2023 |
Procedure Examples
ID | Name | Description |
---|---|---|
S0440 | Agent Smith | Agent Smith can hide its icon from the application launcher.16 |
S0525 | Android/AdDisplay.Ashas | Android/AdDisplay.Ashas can hide its icon and create a shortcut based on the C2 server response.22 |
S0655 | BusyGasper | BusyGasper can hide its icon.8 |
S0480 | Cerberus | Cerberus hides its icon from the application drawer after being launched for the first time.15 |
S0505 | Desert Scorpion | Desert Scorpion can hide its icon.21 |
S0550 | DoubleAgent | DoubleAgent has hidden its app icon.20 |
S1054 | Drinik | Drinik can hide its application icon.18 |
S0509 | FakeSpy | FakeSpy can hide its icon if it detects that it is being run on an emulator.25 |
S0408 | FlexiSpy | FlexiSpy is capable of hiding SuperSU’s icon if it is installed and visible.7 FlexiSpy can also hide its own icon to make detection and the uninstallation process more difficult.6 |
S0423 | Ginp | Ginp hides its icon after installation.19 |
S0406 | Gustuff | Gustuff hides its icon after installation.17 |
S0485 | Mandrake | Mandrake can hide its icon on older Android versions.24 |
S0411 | Rotexy | Rotexy hides its icon after first launch.12 |
S1062 | S.O.V.A. | S.O.V.A. can hide its application icon.14 |
S0419 | SimBad | SimBad hides its icon from the application launcher.10 |
S0558 | Tiktok Pro | Tiktok Pro can hide its icon after launch.9 |
S0302 | Twitoor | Twitoor can hide its presence on the system.11 |
S0418 | ViceLeaker | ViceLeaker includes code to hide its icon, but the function does not appear to be called in an analyzed version of the software.13 |
S0311 | YiSpecter | YiSpecter has hidden the app icon from iOS springboard.23 |
Mitigations
ID | Mitigation | Description |
---|---|---|
M1006 | Use Recent OS Version | Android 10 introduced changes to prevent malicious applications from fully suppressing their icon in the launcher.12 |
M1011 | User Guidance | Users should be shown what a synthetic activity looks like so they can scrutinize them in the future. |
Detection
ID | Data Source | Data Component |
---|---|---|
DS0041 | Application Vetting | API Calls |
DS0042 | User Interface | System Settings |
References
-
Android. (n.d.). Android 10 Release Notes: Limitations to hiding app icons. Retrieved March 30, 2022. ↩↩
-
Android. (n.d.). LauncherApps: getActivityList. Retrieved March 30, 2022. ↩↩
-
Lukáš Štefanko. (2017, February 22). Sunny with a chance of stolen credentials: Malicious weather app found on Google Play. Retrieved July 11, 2019. ↩
-
Lukáš Štefanko. (2018, December 11). Android Trojan steals money from PayPal accounts even with 2FA on. Retrieved July 11, 2019. ↩
-
NJCCIC. (2017, March 2). BankBot/Spy Banker. Retrieved July 11, 2019. ↩
-
FlexiSpy. (n.d.). FlexiSpy Monitoring Features. Retrieved September 4, 2019. ↩
-
K. Lu. (n.d.). Deep Technical Analysis of the Spyware FlexiSpy for Android. Retrieved September 10, 2019. ↩
-
Alexey Firsh. (2018, August 29). BusyGasper – the unfriendly spy. Retrieved October 1, 2021. ↩
-
S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021. ↩
-
Elena Root, Andrey Polkovnichenko. (2019, March 13). SimBad: A Rogue Adware Campaign On Google Play. Retrieved November 21, 2019. ↩
-
ESET. (2016, August 24). First Twitter-controlled Android botnet discovered. Retrieved December 22, 2016. ↩
-
T. Shishkova, L. Pikman. (2018, November 22). The Rotexy mobile Trojan – banker and ransomware. Retrieved September 23, 2019. ↩
-
L. Arsene, C. Ochinca. (2018, August 20). Triout – Spyware Framework for Android with Extensive Surveillance Capabilities. Retrieved January 21, 2020. ↩
-
ThreatFabric. (2021, September 9). S.O.V.A. - A new Android Banking trojan with fowl intentions. Retrieved February 6, 2023. ↩
-
Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020. ↩
-
A. Hazum, F. He, I. Marom, B. Melnykov, A. Polkovnichenko. (2019, July 10). Agent Smith: A New Species of Mobile Malware. Retrieved May 7, 2020. ↩
-
Group-IB. (2019, March 28). Group-IB uncovers Android Trojan named «Gustuff» capable of targeting more than 100 global banking apps, cryptocurrency and marketplace applications. Retrieved September 3, 2019. ↩
-
Cyble. (2022, October 27). Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers. Retrieved January 18, 2023. ↩
-
ThreatFabric. (2019, November). Ginp - A malware patchwork borrowing from Anubis. Retrieved April 8, 2020. ↩
-
A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020. ↩
-
A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020. ↩
-
L. Stefanko. (2019, October 24). Tracking down the developer of Android adware affecting millions of users. Retrieved October 29, 2020. ↩
-
Claud Xiao. (2015, October 4). YiSpecter: First iOS Malware That Attacks Non-jailbroken Apple iOS Devices by Abusing Private APIs. Retrieved March 3, 2023. ↩
-
R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020. ↩
-
O. Almkias. (2020, July 1). FakeSpy Masquerades as Postal Service Apps Around the World. Retrieved September 15, 2020. ↩