Masquerade as Legitimate Application

An adversary could distribute developed malware by masquerading the malware as a legitimate application. This can be done in two different ways: by embedding the malware in a legitimate application, or by pretending to be a legitimate application.

Embedding the malware in a legitimate application is done by downloading the application, disassembling it, adding the malicious code, and then re-assembling it.[1] The app would appear to be the original app, but would contain additional malicious functionality. The adversary could then publish the malicious application to app stores or use another delivery method.

Pretending to be a legitimate application relies heavily on lack of scrutinization by the user. Typically, a malicious app pretending to be a legitimate one will have many similar details as the legitimate one, such as name, icon, and description.[2]

Malicious applications may also masquerade as legitimate applications when requesting access to the accessibility service in order to appear as legitimate to the user, increasing the likelihood that the access will be granted.

ID: T1444
Sub-techniques:  No sub-techniques
Tactic Type: Post-Adversary Device Access
Tactics: Initial Access, Defense Evasion
Platforms: Android, iOS
MTC ID: APP-31, APP-14
Contributors: Alex Hinchliffe, Palo Alto Networks
Version: 2.1
Created: 25 October 2017
Last Modified: 08 April 2020

Procedure Examples

Name Description
Agent Smith

Agent Smith can impersonate any popular application on an infected device, and the core malware disguises itself as a legitimate Google application. Agent Smith's dropper is a weaponized legitimate Feng Shui Bundle.[9]

Anubis

Anubis requests accessibility service privileges while masquerading as "Google Play Protect".[7]

Bouncing Golf

Bouncing Golf distributed malware as repackaged legitimate applications, with the malicious code in the com.golf package.[12]

Cerberus

Cerberus has pretended to be an Adobe Flash Player installer.[11]

DroidJack

DroidJack included code from the legitimate Pokemon GO app in order to appear identical to the user, but it also included additional malicious code.[4]

EventBot

EventBot has used icons from popular applications.[10]

Ginp

Ginp has masqueraded as "Adobe Flash Player" and "Google Play Verificator".[8]

SimBad

SimBad was embedded into legitimate applications.[6]

ViceLeaker

ViceLeaker was embedded into legitimate applications using Smali injection.[5]

X-Agent for Android

X-Agent for Android was placed in a repackaged version of an application used by Ukrainian artillery forces.[3]

Mitigations

Mitigation Description
User Guidance

Users should be encouraged to only install apps from authorized app stores, which are less likely to contain malicious repackaged apps.

Detection

Users can detect malicious applications by watching for nuances that could indicate the application is not the intended one when it is being installed.

References