Adversaries may attempt to get a listing of applications that are installed on a device. Adversaries may use the information from Software Discovery during automated discovery to shape follow-on behaviors, including whether or not to fully infect the target and/or attempts specific actions.
Adversaries may attempt to enumerate applications for a variety of reasons, such as figuring out what security measures are present or to identify the presence of target applications.
|S0316||Pegasus for Android|
|S0539||Red Alert 2.0|
Triada is able to modify code within the com.android.systemui application to gain access to
|M1006||Use Recent OS Version||
Android 11 introduced privacy enhancements to package visibility, filtering results that are returned from the package manager. iOS 12 removed the private API that could previously be used to list installed applications on non-app store applications.
iOS users should be instructed to not download applications from unofficial sources, as applications distributed via the Apple App Store cannot list installed applications on a device.
Application vetting services could look for the Android permission
android.permission.QUERY_ALL_PACKAGES, and apply extra scrutiny to applications that request it. On iOS, application vetting services could look for usage of the private API
LSApplicationWorkspace and apply extra scrutiny to applications that employ it.