Repackaged Application

An adversary could download a legitimate app, disassemble it, add malicious code, and then reassemble the app[1]. The app would appear to be the original app but contain additional malicious functionality. The adversary could then publish this app to app stores or use another delivery technique.

ID: T1444

Tactic Type:  Post-Adversary Device Access

Tactic: Initial Access

Platform:  Android, iOS

MTC ID:  APP-14

Version: 1.1

Mitigations

MitigationDescription
User GuidanceUsers should be encouraged to only install apps from authorized app stores, which are less likely to contain malicious repackaged apps.

Examples

NameDescription
DroidJack

DroidJack included code from the legitimate Pokemon GO app in order to appear identical to the user, but it also included additional malicious code.[2]

X-Agent for Android

X-Agent for Android was placed in a repackaged version of an application used by Ukrainian artillery forces.[3]

Detection

An EMM/MDM or mobile threat protection solution can identify the presence of unwanted, known insecure, or malicious apps on devices.

References