Test ability to evade automated mobile application security analysis performed by app stores

Many mobile devices are configured to only allow applications to be installed from the mainstream vendor app stores (e.g., Apple App Store and Google Play Store). An adversary can submit multiple code samples to these stores deliberately designed to probe the stores' security analysis capabilities, with the goal of determining effective techniques to place malicious applications in the stores that could then be delivered to targeted devices. [1] [2] [3] [4]

ID: T1393
Sub-techniques:  No sub-techniques
Tactic: Test Capabilities
Version: 1.0
Created: 14 December 2017
Last Modified: 17 October 2018


Detectable by Common Defenses (Yes/No/Partial): No

Explanation: The app store operators (e.g., Apple and Google) may detect the attempts, but it would not be observable to those being attacked.

Difficulty for the Adversary

Easy for the Adversary (Yes/No): Yes

Explanation: An adversary can submit code remotely using throwaway accounts, although a registration fee may need to be paid for each new account (e.g., $99 for Apple and $25 for Google Play Store).


  1. Jon Oberheide and Charlie Miller. (2012). DISSECTING THE ANDROID BOUNCER. Retrieved April 12, 2017.
  2. Nicholas J. Percoco and Sean Schulte. (2012). Adventures in BouncerLand. Retrieved April 12, 2017.
  1. Tielei Wang, Kangjie Lu, Long Lu, Simon Chung, and Wenke Lee. (2013). Jekyll on iOS: When Benign Apps Become Evil. Retrieved April 12, 2017.
  2. Claud Xiao. (2016). Fruit vs Zombies: Defeat Non-jailbroken iOS Malware. Retrieved April 12, 2017.