Application Vetting

Application vetting report generated by an external cloud service.

ID: DS0041
Platforms: Android, iOS
Collection Layer: Report
Version: 1.0
Created: 13 March 2023
Last Modified: 13 March 2023

Data Components

Application Vetting: API Calls

API calls utilized by an application that could indicate malicious activity

Application Vetting: API Calls

API calls utilized by an application that could indicate malicious activity

Domain ID Name Detects
Mobile T1661 Application Versioning

Application vetting services may look for indications that the application’s update includes malicious code at runtime.

Mobile T1414 Clipboard Data

Application vetting services could detect usage of standard clipboard APIs.

Mobile T1623 Command and Scripting Interpreter

Application vetting services could detect the invocations of methods that could be used to execute shell commands.[1]

.001 Unix Shell

Application vetting services could detect the invocations of methods that could be used to execute shell commands.[1]

Mobile T1645 Compromise Client Software Binary

Application vetting services could detect applications trying to modify files in protected parts of the operating system.

Mobile T1634 Credentials from Password Store

Application vetting services may be able to detect known privilege escalation exploits contained within applications, as well as searching application packages for strings that correlate to known password store locations.

.001 Keychain

Application vetting services may be able to detect known privilege escalation exploits contained within applications, as well as searching application packages for strings that correlate to known password store locations.

Mobile T1662 Data Destruction

Application vetting services may detect API calls for deleting files.

Mobile T1471 Data Encrypted for Impact

Application vetting services may be able to detect if an application attempts to encrypt files, although this may be benign behavior.

Mobile T1641 Data Manipulation

Application vetting services could look for use of standard APIs (e.g. the clipboard API) that could indicate data manipulation is occurring.

.001 Transmitted Data Manipulation

Applications could be vetted for their use of the clipboard manager APIs with extra scrutiny given to application that make use of them.

Mobile T1407 Download New Code at Runtime

Application vetting services could look for indications that the application downloads and executes new code at runtime (e.g., on Android, use of DexClassLoader, System.load, or the WebView JavaScriptInterface capability; on iOS, use of JSPatch or similar capabilities).

Mobile T1627 Execution Guardrails

Application vetting services can detect unnecessary and potentially abused API calls.

.001 Geofencing

Application vetting services can detect unnecessary and potentially abused API calls.

Mobile T1404 Exploitation for Privilege Escalation

Application vetting services could potentially determine if an application contains code designed to exploit vulnerabilities.

Mobile T1541 Foreground Persistence

Applications could be vetted for their use of the startForeground() API, and could be further scrutinized if usage is found.

Mobile T1628 Hide Artifacts

Application vetting services could potentially detect the usage of APIs intended for artifact hiding.

.001 Suppress Application Icon

Application vetting services could potentially detect the usage of APIs intended for suppressing the application’s icon.

Mobile T1629 Impair Defenses

Application vetting can detect many techniques associated with impairing device defenses.[1]

.001 Prevent Application Removal

Application vetting services may detect API calls to performGlobalAction(int).

Mobile T1630 .001 Indicator Removal on Host: Uninstall Malicious Application

Application vetting services could look for use of the accessibility service or features that typically require root access.

Mobile T1655 Masquerading

Application vetting services may potentially determine if an application contains suspicious code and/or metadata.

.001 Match Legitimate Name or Location

Application vetting services may potentially determine if an application contains suspicious code and/or metadata.

Mobile T1406 Obfuscated Files or Information

Dynamic analysis, when used in application vetting, may in some cases be able to identify malicious code in obfuscated or encrypted form by detecting the code at execution time (after it is deobfuscated or decrypted). Some application vetting techniques apply reputation analysis of the application developer and can alert to potentially suspicious applications without actual examination of application code.

.002 Software Packing

Application vetting services could look for known software packers or artifacts of packing techniques. Packing is not a definitive indicator of malicious activity, because as legitimate software may use packing techniques to reduce binary size or to protect proprietary code.

Mobile T1424 Process Discovery

Mobile security products can typically detect rooted devices, which is an indication that Process Discovery is possible. Application vetting could potentially detect when applications attempt to abuse root access or root the system itself. Further, application vetting services could look for attempted usage of legacy process discovery mechanisms, such as the usage of ps or inspection of the /proc directory.

Mobile T1631 Process Injection

Application vetting services could look for misuse of dynamic libraries.

.001 Ptrace System Calls

Application vetting services could look for misuse of dynamic libraries.

Mobile T1513 Screen Capture

Application vetting services can look for the use of the Android MediaProjectionManager class, applying extra scrutiny to applications that use the class.

Mobile T1418 Software Discovery

Application vetting services could look for the Android permission android.permission.QUERY_ALL_PACKAGES, and apply extra scrutiny to applications that request it. On iOS, application vetting services could look for usage of the private API LSApplicationWorkspace and apply extra scrutiny to applications that employ it.

.001 Security Software Discovery

Application vetting services could look for the Android permission android.permission.QUERY_ALL_PACKAGES, and apply extra scrutiny to applications that request it. On iOS, application vetting services could look for usage of the private API LSApplicationWorkspace and apply extra scrutiny to applications that employ it.

Mobile T1635 Steal Application Access Token

When vetting applications for potential security weaknesses, the vetting process could look for insecure use of Intents. Developers should be encouraged to use techniques to ensure that the intent can only be sent to an appropriate destination (e.g., use explicit rather than implicit intents, permission checking, checking of the destination app's signing certificate, or utilizing the App Links feature). For mobile applications using OAuth, encourage use of best practice.[2][3]

.001 URI Hijacking

When vetting applications for potential security weaknesses, the vetting process could look for insecure use of Intents. Developers should be encouraged to use techniques to ensure that the intent can only be sent to an appropriate destination (e.g., use explicit rather than implicit intents, permission checking, checking of the destination app's signing certificate, or utilizing the App Links feature). For mobile applications using OAuth, encourage use of best practice. [2][3]

Mobile T1409 Stored Application Data

Application vetting services could detect when applications store data insecurely, for example, in unprotected external storage.

Mobile T1474 Supply Chain Compromise

Usage of insecure or malicious third-party libraries could be detected by application vetting services. Malicious software development tools could be detected by enterprises that deploy endpoint protection software on computers that are used to develop mobile apps. Application vetting could detect the usage of insecure or malicious third-party libraries.

.001 Compromise Software Dependencies and Development Tools

Usage of insecure or malicious third-party libraries could be detected by application vetting services. Malicious software development tools could be detected by enterprises that deploy endpoint protection software on computers that are used to develop mobile apps. Application vetting could detect the usage of insecure or malicious third-party libraries.

.003 Compromise Software Supply Chain

Application vetting services can detect malicious code in applications.

Mobile T1633 Virtualization/Sandbox Evasion

Application vetting services could look for applications attempting to get android.os.SystemProperties or getprop with the runtime exec() commands. This could indicate some level of sandbox evasion, as Google recommends against using system properties within applications.

.001 System Checks

Application vetting services could look for applications attempting to get android.os.SystemProperties or getprop with the runtime exec() commands. This could indicate some level of sandbox evasion, as Google recommends against using system properties within applications.

Application Vetting: Application Assets

Additional assets included with an application

Application Vetting: Application Assets

Additional assets included with an application

Domain ID Name
Mobile T1521 .003 Encrypted Channel: SSL Pinning

Application Vetting: Network Communication

Network requests made by an application or domains contacted

Application Vetting: Network Communication

Network requests made by an application or domains contacted

Domain ID Name Detects
Mobile T1661 Application Versioning

Application vetting services may be able to list domains and/or IP addresses that applications communicate with.

Mobile T1407 Download New Code at Runtime

Application vetting services may be able to list domains and/or IP addresses that applications communicate with.

Mobile T1637 Dynamic Resolution

Monitor for pseudo-randomly generated domain names based on frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more.[4] Additionally, check if the suspicious domain has been recently registered, if it has been rarely visited, or if the domain had a spike in activity after being dormant.[5] Content delivery network (CDN) domains may trigger these detections due to the format of their domain names.

.001 Domain Generation Algorithms

Monitor for pseudo-randomly generated domain names based on frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more.[4] Additionally, check if the suspicious domain has been recently registered, if it has been rarely visited, or if the domain had a spike in activity after being dormant.[5] Content delivery network (CDN) domains may trigger these detections due to the format of their domain names.

Mobile T1658 Exploitation for Client Execution

Network traffic analysis may reveal processes communicating with malicious domains.

Mobile T1428 Exploitation of Remote Services

Application vetting may be able to identify applications that perform Discovery or utilize existing connectivity to remotely access hosts within an internal enterprise network.

Mobile T1544 Ingress Tool Transfer

Application vetting services could look for connections to unknown domains or IP addresses.

Mobile T1509 Non-Standard Port

Application vetting reports may show network communications performed by the application, including hosts, ports, protocols, and URLs. Further detection would most likely be at the enterprise level, through packet and/or netflow inspection.

Mobile T1481 Web Service

Application vetting services may provide a list of connections made or received by an application, or a list of domains contacted by the application.

.001 Dead Drop Resolver

Application vetting services may provide a list of connections made or received by an application, or a list of domains contacted by the application.

.002 Bidirectional Communication

Application vetting services may provide a list of connections made or received by an application, or a list of domains contacted by the application.

.003 One-Way Communication

Application vetting services may provide a list of connections made or received by an application, or a list of domains contacted by the application.

Application Vetting: Permissions Requests

Permissions declared in an application's manifest or property list file

Application Vetting: Permissions Requests

Permissions declared in an application's manifest or property list file

Domain ID Name Detects
Mobile T1626 Abuse Elevation Control Mechanism

Application vetting services can detect when an application requests administrator permission.

.001 Device Administrator Permissions

Application vetting services can check for the string BIND_DEVICE_ADMIN in the application’s manifest. This indicates it can prompt the user for device administrator permissions.

Mobile T1517 Access Notifications

Application vetting services can look for applications requesting the BIND_NOTIFICATION_LISTENER_SERVICE permission in a service declaration.

Mobile T1640 Account Access Removal

Application vetting services could closely scrutinize applications that request Device Administrator permissions.

Mobile T1661 Application Versioning

Application vetting services may detect when an application requests permissions after an application update.

Mobile T1429 Audio Capture

Android applications using the RECORD_AUDIO permission and iOS applications using RequestRecordPermission should be carefully reviewed and monitored. If the CAPTURE_AUDIO_OUTPUT permission is found in a third-party Android application, the application should be heavily scrutinized.

In both Android (6.0 and up) and iOS, the user can review which applications have the permission to access the microphone through the device settings screen and revoke permissions as necessary.

Mobile T1662 Data Destruction

Mobile security products can detect which applications can request device administrator permissions. Application vetting services could be extra scrutinous of applications that request device administrator permissions.

Mobile T1642 Endpoint Denial of Service

Application vetting services can detect and closely scrutinize applications that utilize Device Administrator access.

Mobile T1624 Event Triggered Execution

Application vetting services can detect which broadcast intents an application registers for and which permissions it requests.

.001 Broadcast Receivers

Application vetting services can detect which broadcast intents an application registers for and which permissions it requests.

Mobile T1627 Execution Guardrails

Application vetting services can detect unnecessary and potentially abused permissions.

.001 Geofencing

Application vetting services can detect unnecessary and potentially abused location permissions.

Mobile T1643 Generate Traffic from Victim

Application vetting services can detect when applications request the SEND_SMS permission, which should be infrequently used.

Mobile T1630 Indicator Removal on Host

Mobile security products can detect which applications can request device administrator permissions. Application vetting services could look for use of APIs that could indicate the application is trying to hide activity.

.002 File Deletion

Mobile security products can detect which applications can request device administrator permissions. Application vetting services could be extra scrutinous of applications that request device administrator permissions.

Mobile T1544 Ingress Tool Transfer

Application vetting services may indicate precisely what content was requested during application execution.

Mobile T1417 Input Capture

Application vetting services can look for applications requesting the permissions granting access to accessibility services or application overlay.

.001 Keylogging

Application vetting services can look for applications requesting the android.permission.BIND_ACCESSIBILITY_SERVICE permission in a service declaration. On Android, the user can view and manage which applications can use accessibility services through the device settings in Accessibility. The exact device settings menu locations may vary between operating system versions.

.002 GUI Input Capture

Application vetting services can look for applications requesting the android.permission.SYSTEM_ALERT_WINDOW permission in the list of permissions in the app manifest.

Mobile T1430 Location Tracking

Android applications requesting the ACCESS_COARSE_LOCATION, ACCESS_FINE_LOCATION, or ACCESS_BACKGROUND_LOCATION permissions and iOS applications including the NSLocationWhenInUseUsageDescription, NSLocationAlwaysAndWhenInUseUsageDescription, and/or NSLocationAlwaysUsageDescription keys in their Info.plist file could be scrutinized during the application vetting process.

Mobile T1636 Protected User Data

Application vetting services typically flag permissions requested by an application, which can be reviewed by an administrator. Certain dangerous permissions, such as RECEIVE_SMS, could receive additional scrutiny.

.001 Calendar Entries

Application vetting services could look for android.permission.READ_CALENDAR or android.permission.WRITE_CALENDAR in an Android application’s manifest, or NSCalendarsUsageDescription in an iOS application’s Info.plist file. Most applications do not need calendar access, so extra scrutiny could be applied to those that request it.

.002 Call Log

Application vetting services could look for android.permission.READ_CALL_LOG in an Android application’s manifest. Most applications do not need call log access, so extra scrutiny could be applied to those that request it.

.003 Contact List

Application vetting services could look for android.permission.READ_CONTACTS in an Android application’s manifest, or NSContactsUsageDescription in an iOS application’s Info.plist file. Most applications do not need contact list access, so extra scrutiny could be applied to those that request it.

.004 SMS Messages

Application vetting services could look for android.permission.READ_SMS in an Android application’s manifest. Most applications do not need access to SMS messages, so extra scrutiny could be applied to those that request it.

Mobile T1422 System Network Configuration Discovery

Application vetting services could look for usage of the READ_PRIVILEGED_PHONE_STATE Android permission. This could indicate that non-system apps are attempting to access information that they do not have access to.

.001 Internet Connection Discovery

Application vetting services could look for usage of the READ_PRIVILEGED_PHONE_STATE Android permission. This could indicate that non-system apps are attempting to access information that they do not have access to.

.002 Wi-Fi Discovery

Application vetting services could look for usage of the READ_PRIVILEGED_PHONE_STATE Android permission. This could indicate that non-system apps are attempting to access information that they do not have access to.

Mobile T1512 Video Capture

During the vetting process, applications using the Android permission android.permission.CAMERA, or the iOS NSCameraUsageDescription plist entry could be given closer scrutiny.

Application Vetting: Protected Configuration

Device configuration options that are not typically utilized by benign applications

Application Vetting: Protected Configuration

Device configuration options that are not typically utilized by benign applications

Domain ID Name Detects
Mobile T1638 Adversary-in-the-Middle

Application vetting services should look for applications that request VPN access. These applications should be heavily scrutinized since VPN functionality is not very common.

References