|T1418.001||Security Software Discovery|
Adversaries may attempt to get a listing of applications that are installed on a device. Adversaries may use the information from Software Discovery during automated discovery to shape follow-on behaviors, including whether or not to fully infect the target and/or attempts specific actions.
Adversaries may attempt to enumerate applications for a variety of reasons, such as figuring out what security measures are present or to identify the presence of target applications.
AbstractEmu can obtain a list of installed applications.
Agent Smith obtains the device’s application list.
Android/AdDisplay.Ashas has checked to see how many apps are installed, and specifically if Facebook or FB Messenger are installed.
Anubis can collect a list of installed applications to compare to a list of targeted applications.
CarbonSteal has looked for specific applications, such as MiCode.
DEFENSOR ID can retrieve a list of installed applications.
Desert Scorpion can obtain a list of installed applications.
DoubleAgent has accessed the list of installed apps.
Golden Cup can obtain a list of installed applications.
GoldenEagle has collected a list of installed application names.
INSOMNIA can obtain a list of installed non-Apple applications.
Pallas retrieves a list of all applications installed on the device.
|S0316||Pegasus for Android||
Pegasus for Android accesses the list of installed applications.
|S0539||Red Alert 2.0||
Red Alert 2.0 can obtain the running application.
Riltok can retrieve a list of installed applications. Installed application names are then checked against an adversary-defined list of targeted applications.
Rotexy retrieves a list of installed applications and sends it to the command and control server.
S.O.V.A. can search for installed applications that match a list of targets.
Stealth Mango uploads information about installed packages.
TERRACOTTA can obtain a list of installed apps.
Tiktok Pro can obtain a list of installed applications.
Triada is able to modify code within the com.android.systemui application to gain access to
ViceLeaker can obtain a list of installed applications.
YiSpecter has collected information about installed applications.
|M1006||Use Recent OS Version||
Android 11 introduced privacy enhancements to package visibility, filtering results that are returned from the package manager. iOS 12 removed the private API that could previously be used to list installed applications on non-app store applications.
iOS users should be instructed to not download applications from unofficial sources, as applications distributed via the Apple App Store cannot list installed applications on a device.
|ID||Data Source||Data Component|
|DS0041||Application Vetting||API Calls|
Application vetting services could look for the Android permission
android.permission.QUERY_ALL_PACKAGES, and apply extra scrutiny to applications that request it. On iOS, application vetting services could look for usage of the private API
LSApplicationWorkspace and apply extra scrutiny to applications that employ it.