Masquerade as Legitimate Application

An adversary could distribute developed malware by masquerading the malware as a legitimate application. This can be done in two different ways: by embedding the malware in a legitimate application, or by pretending to be a legitimate application.

Embedding the malware in a legitimate application is done by downloading the application, disassembling it, adding the malicious code, and then re-assembling it.[1] The app would appear to be the original app, but would contain additional malicious functionality. The adversary could then publish the malicious application to app stores or use another delivery method.

Pretending to be a legitimate application relies heavily on lack of scrutinization by the user. Typically, a malicious app pretending to be a legitimate one will have many similar details as the legitimate one, such as name, icon, and description.[2]

Malicious applications may also masquerade as legitimate applications when requesting access to the accessibility service in order to appear as legitimate to the user, increasing the likelihood that the access will be granted.

ID: T1444
Sub-techniques:  No sub-techniques
Tactic Type: Post-Adversary Device Access
Tactics: Initial Access, Defense Evasion
Platforms: Android, iOS
MTC ID: APP-31, APP-14
Contributors: Alex Hinchliffe, Palo Alto Networks
Version: 2.1
Created: 25 October 2017
Last Modified: 08 April 2020

Procedure Examples

ID Name Description
S0440 Agent Smith

Agent Smith can impersonate any popular application on an infected device, and the core malware disguises itself as a legitimate Google application. Agent Smith's dropper is a weaponized legitimate Feng Shui Bundle.[3]

S0525 Android/AdDisplay.Ashas

Android/AdDisplay.Ashas has mimicked Facebook and Google icons on the "Recent apps" screen to avoid discovery and uses the com.google.xxx package name to avoid detection.[4]

S0524 AndroidOS/MalLocker.B

AndroidOS/MalLocker.B has masqueraded as popular apps, cracked games, and video players. [5]

S0422 Anubis

Anubis has requested accessibility service privileges while masquerading as "Google Play Protect" and has disguised additional malicious application installs as legitimate system updates.[6][7]

S0540 Asacub

Asacub has masqueraded as a client of popular free ads services.[8]

G0097 Bouncing Golf

Bouncing Golf distributed malware as repackaged legitimate applications, with the malicious code in the com.golf package.[9]

S0529 CarbonSteal

CarbonSteal has impersonated several apps, including official Google apps, chat apps, VPN apps, and popular games.[10]

S0480 Cerberus

Cerberus has pretended to be an Adobe Flash Player installer.[11]

S0555 CHEMISTGAMES

CHEMISTGAMES has masqueraded as popular South Korean applications.[12]

S0301 Dendroid

Dendroid can be bound to legitimate applications prior to installation on devices.[13]

S0550 DoubleAgent

DoubleAgent has been embedded into trojanized versions of applications such as Voxer, TalkBox, and Amaq News.[10]

S0320 DroidJack

DroidJack included code from the legitimate Pokemon GO app in order to appear identical to the user, but it also included additional malicious code.[14]

S0478 EventBot

EventBot has used icons from popular applications.[15]

S0522 Exobot

Exobot has used names like WhatsApp and Netflix.[16]

S0509 FakeSpy

FakeSpy masquerades as local postal service applications.[17]

S0577 FrozenCell

FrozenCell has masqueraded as fake updates to chat applications such as Facebook, WhatsApp, Messenger, LINE, and LoveChat, as well as apps targeting Middle Eastern demographics.[18]

S0423 Ginp

Ginp has masqueraded as "Adobe Flash Player" and "Google Play Verificator".[19]

S0551 GoldenEagle

GoldenEagle has inserted trojan functionality into legitimate apps, including popular apps within the Uyghur community, VPNs, instant messaging apps, social networking, games, adult media, and Google searching.[10]

S0536 GPlayed

GPlayed has used the Play Store icon as well as the name "Google Play Marketplace".[20]

S0544 HenBox

HenBox has masqueraded as VPN and Android system apps.[2]

S0485 Mandrake

Mandrake can mimic an app called "Storage Settings" if it cannot hide its icon.[21]

S0539 Red Alert 2.0

Red Alert 2.0 has masqueraded as legitimate media player, social media, and VPN applications.[22]

S0549 SilkBean

SilkBean has been incorporated into trojanized applications, including Uyghur/Arabic focused keyboards, alphabets, and plugins, as well as official-looking Google applications.[10]

S0419 SimBad

SimBad was embedded into legitimate applications.[23]

S0558 Tiktok Pro

Tiktok Pro has masqueraded as TikTok.[24]

S0418 ViceLeaker

ViceLeaker was embedded into legitimate applications using Smali injection.[25]

S0506 ViperRAT

ViperRAT’s second stage has masqueraded as "System Updates", "Viber Update", and "WhatsApp Update".[26]

S0489 WolfRAT

WolfRAT has masqueraded as "Google service", "GooglePlay", and "Flash update".[27]

S0314 X-Agent for Android

X-Agent for Android was placed in a repackaged version of an application used by Ukrainian artillery forces.[28]

S0318 XLoader for Android

XLoader for Android has masqueraded as an Android security application.[29]

Mitigations

ID Mitigation Description
M1011 User Guidance

Users should be encouraged to only install apps from authorized app stores, which are less likely to contain malicious repackaged apps.

Detection

Users can detect malicious applications by watching for nuances that could indicate the application is not the intended one when it is being installed.

References

  1. Yajin Zhou and Xuxian Jiang. (2012, May). Dissecting Android Malware: Characterization and Evolution. Retrieved December 9, 2016.
  2. A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019.
  3. A. Hazum, F. He, I. Marom, B. Melnykov, A. Polkovnichenko. (2019, July 10). Agent Smith: A New Species of Mobile Malware. Retrieved May 7, 2020.
  4. L. Stefanko. (2019, October 24). Tracking down the developer of Android adware affecting millions of users. Retrieved October 29, 2020.
  5. D. Venkatesan. (2020, October 8). Sophisticated new Android malware marks the latest evolution of mobile ransomware . Retrieved October 29, 2020.
  6. M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved April 8, 2020.
  7. K. Sun. (2019, January 17). Google Play Apps Drop Anubis, Use Motion-based Evasion. Retrieved January 20, 2021.
  8. T. Shishkova. (2018, August 28). The rise of mobile banker Asacub. Retrieved December 14, 2020.
  9. E. Xu, G. Guo. (2019, June 28). Mobile Cyberespionage Campaign ‘Bouncing Golf’ Affects Middle East. Retrieved January 27, 2020.
  10. A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.
  11. Z. Doffman. (2019, August 16). Warning As Devious New Android Malware Hides In Fake Adobe Flash Player Installations (Updated). Retrieved June 26, 2020.
  12. B. Leonard, N. Mehta. (2019, November 21). The Secret Life of Sandworms. Retrieved December 31, 2020.
  13. Marc Rogers. (2014, March 6). Dendroid malware can take over your camera, record audio, and sneak into Google Play. Retrieved December 22, 2016.
  14. Proofpoint. (2016, July 7). DroidJack Uses Side-Load…It's Super Effective! Backdoored Pokemon GO Android App Found. Retrieved January 20, 2017.
  15. D. Frank, L. Rochberger, Y. Rimmer, A. Dahan. (2020, April 30). EventBot: A New Mobile Banking Trojan is Born. Retrieved June 26, 2020.
  1. Threat Fabric. (2017, February). Exobot - Android banking Trojan on the rise. Retrieved October 29, 2020.
  2. O. Almkias. (2020, July 1). FakeSpy Masquerades as Postal Service Apps Around the World. Retrieved September 15, 2020.
  3. Michael Flossman. (2017, October 5). FrozenCell: Multi-platform surveillance campaign against Palestinians. Retrieved November 11, 2020.
  4. ThreatFabric. (2019, November). Ginp - A malware patchwork borrowing from Anubis. Retrieved April 8, 2020.
  5. V. Ventura. (2018, October 11). GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020.
  6. R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020.
  7. J. Chandraiah. (2018, July 23). Red Alert 2.0: Android Trojan targets security-seekers. Retrieved December 14, 2020.
  8. Elena Root, Andrey Polkovnichenko. (2019, March 13). SimBad: A Rogue Adware Campaign On Google Play. Retrieved November 21, 2019.
  9. S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021.
  10. GReAT. (2019, June 26). ViceLeaker Operation: mobile espionage targeting Middle East. Retrieved November 21, 2019.
  11. M. Flossman. (2017, February 16). ViperRAT: The mobile APT targeting the Israeli Defense Force that should be on your radar. Retrieved September 11, 2020.
  12. W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19). The wolf is back... . Retrieved July 20, 2020.
  13. CrowdStrike Global Intelligence Team. (2016). Use of Fancy Bear Android Malware in Tracking of Ukrainian FIeld Artillery Units. Retrieved February 6, 2017.
  14. Hiroaki, H., Wu, L., Wu, L.. (2019, April 2). XLoader Disguises as Android Apps, Has FakeSpy Links. Retrieved July 20, 2020.