T1632.001 Code Signing Policy Modification
Adversaries may modify code signing policies to enable execution of applications signed with unofficial or unknown keys. Code signing provides a level of authenticity on an app from a developer, guaranteeing that the program has not been tampered with and comes from an official source. Security controls can include enforcement mechanisms to ensure that only valid, signed code can be run on a device.
Mobile devices generally enable these security controls by default, such as preventing the installation of unknown applications on Android. Adversaries may modify these policies in a number of ways, including Input Injection or malicious configuration profiles.
| Item | Value |
|---|---|
| ID | T1632.001 |
| Sub-techniques | T1632.001 |
| Tactics | TA0030 |
| Platforms | Android, iOS |
| Version | 1.1 |
| Created | 30 March 2022 |
| Last Modified | 16 March 2023 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| S0505 | Desert Scorpion | If running on a Huawei device, Desert Scorpion adds itself to the protected apps list, which allows it to run with the screen off.8 |
| S0420 | Dvmap | Dvmap can enable installation of apps from unknown sources.6 |
| S0551 | GoldenEagle | GoldenEagle has modified or configured proxy information.4 |
| S0485 | Mandrake | Mandrake can enable app installation from unknown sources.5 |
| S0549 | SilkBean | SilkBean has attempted to trick users into enabling installation of applications from unknown sources.4 |
| S1056 | TianySpy | TianySpy can install malicious configurations on iPhones to allow malware to be installed via Ad Hoc distribution.9 |
| G0112 | Windshift | Windshift has installed malicious MDM profiles on iOS devices as part of Operation ROCK.10 |
| S0490 | XLoader for iOS | XLoader for iOS has been installed via a malicious configuration profile.3 |
| S0311 | YiSpecter | YiSpecter has used fake Verisign and Symantec certificates to bypass malware detection systems. YiSpecter has also signed malicious apps with iOS enterprise certificates to work on non-jailbroken iOS devices.7 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1012 | Enterprise Policy | On iOS, the allowEnterpriseAppTrust and allowEnterpriseAppTrustModification configuration profile restrictions can be used to prevent users from installing apps signed using enterprise distribution keys. |
| M1006 | Use Recent OS Version | Mobile OSes have implemented measures to make it more difficult to trick users into installing untrusted certificates and configurations. iOS 10.3 and higher add an additional step for users to install new trusted CA certificates and configuration profiles. On Android, apps that target compatibility with Android 7 and higher (API Level 24) default to only trusting CA certificates that are bundled with the operating system, not CA certificates that are added by the user or administrator, hence decreasing their susceptibility to successful adversary-in-the-middle attack.12 |
| M1011 | User Guidance | Typically, insecure or malicious configuration settings are not installed without the user’s consent. Users should be advised not to install unexpected configuration settings (CA certificates, iOS Configuration Profiles, Mobile Device Management server provisioning). |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0042 | User Interface | System Settings |
References
-
Brian Duckering. (2017, March 27). Apple iOS 10.3 Finally Battles Malicious Profiles. Retrieved September 24, 2018. ↩
-
Chad Brubaker. (2016, July 7). Changes to Trusted Certificate Authorities in Android Nougat. Retrieved September 24, 2018. ↩
-
Hiroaki, H., Wu, L., Wu, L.. (2019, April 2). XLoader Disguises as Android Apps, Has FakeSpy Links. Retrieved July 20, 2020. ↩
-
A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020. ↩↩
-
R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020. ↩
-
R. Unuchek. (2017, June 8). Dvmap: the first Android malware with code injection. Retrieved December 10, 2019. ↩
-
Claud Xiao. (2015, October 4). YiSpecter: First iOS Malware That Attacks Non-jailbroken Apple iOS Devices by Abusing Private APIs. Retrieved March 3, 2023. ↩
-
A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020. ↩
-
Trend Micro. (2022, January 25). TianySpy Malware Uses Smishing Disguised as Message From Telco. Retrieved January 11, 2023. ↩
-
The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021. ↩