Skip to content

T1655.001 Match Legitimate Name or Location

Adversaries may match or approximate the name or location of legitimate files or resources when naming/placing them. This is done for the sake of evading defenses and observation. This may be done by giving artifacts the name and icon of a legitimate, trusted application (i.e., Settings), or using a package name that matches legitimate, trusted applications (i.e., com.google.android.gm).

Adversaries may also use the same icon of the file or application they are trying to mimic.

Item Value
ID T1655.001
Sub-techniques T1655.001
Tactics TA0030
Platforms Android, iOS
Version 1.0
Created 12 July 2023
Last Modified 16 April 2025

Procedure Examples

ID Name Description
S0440 Agent Smith Agent Smith can impersonate any popular application on an infected device, and the core malware disguises itself as a legitimate Google application. Agent Smith’s dropper is a weaponized legitimate Feng Shui Bundle.43
S0525 Android/AdDisplay.Ashas Android/AdDisplay.Ashas has mimicked Facebook and Google icons on the “Recent apps” screen to avoid discovery and uses the com.google.xxx package name to avoid detection.19
S1214 Android/SpyAgent Android/SpyAgent has used the official icon of the Korean police application and the package name “kpo,” which contain references related to the Korean police.4
S0524 AndroidOS/MalLocker.B AndroidOS/MalLocker.B has masqueraded as popular apps, cracked games, and video players. 46
S0292 AndroRAT AndroRAT masquerades as legitimate applications.4140
S0422 Anubis Anubis has requested accessibility service privileges while masquerading as “Google Play Protect” and has disguised additional malicious application installs as legitimate system updates.2221
G1028 APT-C-23 APT-C-23 has masqueraded malware as legitimate applications.393437
S0540 Asacub Asacub has masqueraded as a client of popular free ads services.32
S1079 BOULDSPY BOULDSPY has been installed using the package name com.android.callservice, pretending to be an Android system service.28
G0097 Bouncing Golf Bouncing Golf distributed malware as repackaged legitimate applications, with the malicious code in the com.golf package.47
S1094 BRATA BRATA has masqueraded as legitimate WhatsApp updates and app security scanners.2726
C0033 C0033 During C0033, PROMETHIUM used StrongPity on a compromised website to distribute a malicious version of a legitimate application.49
S0529 CarbonSteal CarbonSteal has impersonated several apps, including official Google apps, chat apps, VPN apps, and popular games.11
S0480 Cerberus Cerberus has pretended to be an Adobe Flash Player installer.13
S1083 Chameleon Chameleon has disguised itself as legitimate applications, such as a cryptocurrency application called ‘CoinSpot,’ the IKO banking application in Poland, and an application used by the Australian Taxation Office (ATO). It has also used familiar icons, such as the Chrome and Bitcoin logos.910
S0555 CHEMISTGAMES CHEMISTGAMES has masqueraded as popular South Korean applications.12
S1243 DCHSpy DCHSpy has masqueraded as legitimate applications, such as VPN and banking applications.45
S0301 Dendroid Dendroid can be bound to legitimate applications prior to installation on devices.18
S0550 DoubleAgent DoubleAgent has been embedded into trojanized versions of applications such as Voxer, TalkBox, and Amaq News.11
S0320 DroidJack DroidJack included code from the legitimate Pokemon GO app in order to appear identical to the user, but it also included additional malicious code.8
S0478 EventBot EventBot has used icons from popular applications.7
S0522 Exobot Exobot has used names like WhatsApp and Netflix.23
S1080 Fakecalls Fakecalls has masqueraded as popular Korean banking apps.30
S0509 FakeSpy FakeSpy masquerades as local postal service applications.42
S0577 FrozenCell FrozenCell has masqueraded as fake updates to chat applications such as Facebook, WhatsApp, Messenger, LINE, and LoveChat, as well as apps targeting Middle Eastern demographics.29
S0423 Ginp Ginp has masqueraded as “Adobe Flash Player” and “Google Play Verificator”.25
S1231 GodFather GodFather has imitated Google Play Protect, a security application pre-installed on all Android devices, and its functionalities, such as scanning the device and requesting for the accessibility service.5
S0551 GoldenEagle GoldenEagle has inserted trojan functionality into legitimate apps, including popular apps within the Uyghur community, VPNs, instant messaging apps, social networking, games, adult media, and Google searching.11
S0536 GPlayed GPlayed has used the Play Store icon as well as the name “Google Play Marketplace”.16
S0544 HenBox HenBox has masqueraded as VPN and Android system apps.24
S1077 Hornbill Hornbill has impersonated chat applications such as Fruit Chat, Cucu Chat, and Kako Chat.6
S0485 Mandrake Mandrake can mimic an app called “Storage Settings” if it cannot hide its icon.1
G1019 MoustachedBouncer MoustachedBouncer has used legitimate looking filenames for malicious executables including MicrosoftUpdate845255.exe.48
S1126 Phenakite Phenakite can masquerade as the chat application “Magic Smile.”15
S0539 Red Alert 2.0 Red Alert 2.0 has masqueraded as legitimate media player, social media, and VPN applications.20
S0549 SilkBean SilkBean has been incorporated into trojanized applications, including Uyghur/Arabic focused keyboards, alphabets, and plugins, as well as official-looking Google applications.11
S0419 SimBad SimBad was embedded into legitimate applications.33
S1195 SpyC23 SpyC23 has masqueraded as legitimate messaging applications.393437363538
S0558 Tiktok Pro Tiktok Pro has masqueraded as TikTok.14
S0418 ViceLeaker ViceLeaker was embedded into legitimate applications using Smali injection.31
S0506 ViperRAT ViperRAT’s second stage has masqueraded as “System Updates”, “Viber Update”, and “WhatsApp Update”.3
S0489 WolfRAT WolfRAT has masqueraded as “Google service”, “GooglePlay”, and “Flash update”.17
S0314 X-Agent for Android X-Agent for Android was placed in a repackaged version of an application used by Ukrainian artillery forces.2
S0318 XLoader for Android XLoader for Android has masqueraded as an Android security application.44

Mitigations

ID Mitigation Description
M1011 User Guidance Users should be encouraged to only install apps from authorized app stores, which are less likely to contain malicious repackaged apps.

References

  1. R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020. 

  2. CrowdStrike Global Intelligence Team. (2016). Use of Fancy Bear Android Malware in Tracking of Ukrainian FIeld Artillery Units. Retrieved February 6, 2017. 

  3. M. Flossman. (2017, February 16). ViperRAT: The mobile APT targeting the Israeli Defense Force that should be on your radar. Retrieved September 11, 2020. 

  4. Pak, C. (2019, August 7). MoqHao Related Android Spyware Targeting Japan and Korea Found on Google Play. Retrieved November 13, 2024. 

  5. Merkle Science. (2023, April 25). The Godfather Android Malware: Threat under the lens. Retrieved July 16, 2025. 

  6. Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023. 

  7. D. Frank, L. Rochberger, Y. Rimmer, A. Dahan. (2020, April 30). EventBot: A New Mobile Banking Trojan is Born. Retrieved June 26, 2020. 

  8. Proofpoint. (2016, July 7). DroidJack Uses Side-Load…It’s Super Effective! Backdoored Pokemon GO Android App Found. Retrieved January 20, 2017. 

  9. Cyble Research & Intelligence Labs. (2023, April 13). Banking Trojan targeting mobile users in Australia and Poland. Retrieved August 16, 2023. 

  10. ThreatFabric. (2023, December 21). Android Banking Trojan Chameleon can now bypass any Biometric Authentication. Retrieved July 7, 2025. 

  11. A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020. 

  12. B. Leonard, N. Mehta. (2019, November 21). The Secret Life of Sandworms. Retrieved December 31, 2020. 

  13. Z. Doffman. (2019, August 16). Warning As Devious New Android Malware Hides In Fake Adobe Flash Player Installations (Updated). Retrieved June 26, 2020. 

  14. S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021. 

  15. Flossman, M., Scott, M. (2021, April). Technical Paper // Taking Action Against Arid Viper. Retrieved November 17, 2024. 

  16. V. Ventura. (2018, October 11). GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020. 

  17. W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19). The wolf is back… . Retrieved July 20, 2020. 

  18. Marc Rogers. (2014, March 6). Dendroid malware can take over your camera, record audio, and sneak into Google Play. Retrieved December 22, 2016. 

  19. L. Stefanko. (2019, October 24). Tracking down the developer of Android adware affecting millions of users. Retrieved October 29, 2020. 

  20. J. Chandraiah. (2018, July 23). Red Alert 2.0: Android Trojan targets security-seekers. Retrieved December 14, 2020. 

  21. K. Sun. (2019, January 17). Google Play Apps Drop Anubis, Use Motion-based Evasion. Retrieved January 20, 2021. 

  22. M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved September 25, 2024. 

  23. Threat Fabric. (2017, February). Exobot - Android banking Trojan on the rise. Retrieved October 29, 2020. 

  24. A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019. 

  25. ThreatFabric. (2019, November). Ginp - A malware patchwork borrowing from Anubis. Retrieved April 8, 2020. 

  26. Fernando Ruiz. (2021, April 12). BRATA Keeps Sneaking into Google Play, Now Targeting USA and Spain. Retrieved December 18, 2023. 

  27. Securelist. (2019, August 29). Fully equipped Spying Android RAT from Brazil: BRATA. Retrieved December 18, 2023. 

  28. Kyle Schmittle, Alemdar Islamoglu, Paul Shunk, Justin Albrecht. (2023, April 27). Lookout Discovers Android Spyware Tied to Iranian Police Targeting Minorities: BouldSpy. Retrieved July 21, 2023. 

  29. Michael Flossman. (2017, October 5). FrozenCell: Multi-platform surveillance campaign against Palestinians. Retrieved November 11, 2020. 

  30. Igor Golovin. (2022, April 11). Fakecalls: a talking Trojan. Retrieved July 21, 2023. 

  31. GReAT. (2019, June 26). ViceLeaker Operation: mobile espionage targeting Middle East. Retrieved November 21, 2019. 

  32. T. Shishkova. (2018, August 28). The rise of mobile banker Asacub. Retrieved December 14, 2020. 

  33. Elena Root, Andrey Polkovnichenko. (2019, March 13). SimBad: A Rogue Adware Campaign On Google Play. Retrieved November 21, 2019. 

  34. CheckPoint Research. (2020, February 16). Hamas Android Malware On IDF Soldiers-This is How it Happened. Retrieved November 17, 2024. 

  35. Cyware. (2020, October 2). APT‑C‑23 is Still Active and Enhancing its Mobile Spying Capabilities. Retrieved December 2, 2024. 

  36. Delamotte, A. (2023, November 6). Arid Viper | APT’s Nest of SpyC23 Malware Continues to Target Android Devices. Retrieved December 2, 2024. 

  37. Kohli, P. (2021, November 23). Android APT spyware, targeting Middle East victims, enhances evasiveness. Retrieved November 17, 2024. 

  38. O’Donnell, L. (2020, September 30). Android Spyware Variant Snoops on WhatsApp, Telegram Messages. Retrieved January 10, 2025. 

  39. Stefanko, L. (2020, September 30). APT‑C‑23 group evolves its Android spyware. Retrieved March 4, 2024. 

  40. BlackBerry Research and Insights Team. (n.d.). Mobile Malware and APT Espionage. Retrieved March 1, 2024. 

  41. Dela Paz, R. (2016, October 21). BITTER: a targeted attack against Pakistan. Retrieved March 1, 2024. 

  42. O. Almkias. (2020, July 1). FakeSpy Masquerades as Postal Service Apps Around the World. Retrieved September 15, 2020. 

  43. A. Hazum, F. He, I. Marom, B. Melnykov, A. Polkovnichenko. (2019, July 10). Agent Smith: A New Species of Mobile Malware. Retrieved May 7, 2020. 

  44. Hiroaki, H., Wu, L., Wu, L.. (2019, April 2). XLoader Disguises as Android Apps, Has FakeSpy Links. Retrieved July 20, 2020. 

  45. Albrecht, J., Islamoglu, A. (2025, July 21). Lookout Discovers Iranian APT MuddyWater Leveraging DCHSpy During Israel-Iran Conflict . Retrieved September 19, 2025. 

  46. D. Venkatesan. (2020, October 8). Sophisticated new Android malware marks the latest evolution of mobile ransomware . Retrieved October 29, 2020. 

  47. E. Xu, G. Guo. (2019, June 28). Mobile Cyberespionage Campaign ‘Bouncing Golf’ Affects Middle East. Retrieved January 27, 2020. 

  48. Faou, M. (2023, August 10). MoustachedBouncer: Espionage against foreign diplomats in Belarus. Retrieved September 25, 2023. 

  49. Dong, Z. et al. (2021, July 21). StrongPity APT Group Deploys Android Malware for the First Time. Retrieved March 19, 2023.