T1661 Application Versioning
An adversary may push an update to a previously benign application to add malicious code. This can be accomplished by pushing an initially benign, functional application to a trusted application store, such as the Google Play Store or the Apple App Store. This allows the adversary to establish a trusted userbase that may grant permissions to the application prior to the introduction of malicious code. Then, an application update could be pushed to introduce malicious code.1
This technique could also be accomplished by compromising a developer’s account. This would allow an adversary to take advantage of an existing userbase without having to establish the userbase themselves.
| Item | Value |
|---|---|
| ID | T1661 |
| Sub-techniques | |
| Tactics | TA0027, TA0030 |
| Platforms | Android, iOS |
| Version | 1.0 |
| Created | 21 September 2023 |
| Last Modified | 28 September 2023 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| S1055 | SharkBot | SharkBot initially poses as a benign application, then malware is downloaded and executed after an application update.3 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1012 | Enterprise Policy | Enterprises can provision policies to mobile devices for application allow-listing, ensuring only approved applications are installed onto mobile devices. |
| M1006 | Use Recent OS Version | Android 11 and above implement application hibernation, which can hibernate an application that has not been used for a few months and can reset the application’s permission requests.2 |
References
-
Stefanko, L. (2023, May 23). Android app breaking bad: From legitimate screen recording to file exfiltration within a year. Retrieved August 28, 2023. ↩
-
Android Developers. (2023, August 28). App hibernation. Retrieved September 21, 2023. ↩
-
RIFT: Research and Intelligence Fusion Team. (2022, March 3). SharkBot: a “new” generation Android banking Trojan being distributed on Google Play Store. Retrieved January 18, 2023. ↩