Deliver Malicious App via Authorized App Store
Malicious applications are a common attack vector used by adversaries to gain a presence on mobile devices. Mobile devices often are configured to allow application installation only from an authorized app store (e.g., Google Play Store or Apple App Store). An adversary may seek to place a malicious application in an authorized app store, enabling the application to be installed onto targeted devices.
App stores typically require developer registration and use vetting techniques to identify malicious applications. Adversaries may use these techniques against app store defenses:
- Download New Code at Runtime
- Obfuscated Files or Information
- PRE-ATT&CK: Choose pre-compromised mobile app developer account credentials or signing keys
- PRE-ATT&CK: Test ability to evade automated mobile application security analysis performed by app stores
Adversaries may also seek to evade vetting by placing code in a malicious application to detect whether it is running in an app analysis environment and, if so, avoid performing malicious actions while under analysis.    
Adversaries may also use fake identities, payment cards, etc., to create developer accounts to publish malicious applications to app stores. 
Adversaries may also use control of a target's Google account to use the Google Play Store's remote installation capability to install apps onto the Android devices associated with the Google account.   (Only applications that are available for download through the Google Play Store can be remotely installed using this technique.)
|Application Vetting||App store operators and enterprises could assess reputational characteristics of the app, including the popularity of the app or other apps from the same developer and whether or not security issues have been found in other apps from the same developer.|
|User Guidance||Encourage developers to protect their account credentials and enable multi-factor authentication if available. Encourage developers to protect their signing keys.|
|Pegasus for Android||Pegasus for Android attempts to detect whether it is running in an emulator rather than a real device. |
|ZergHelper||ZergHelper apparently evaded Apple's app review process by performing different behaviors for users from different physical locations (e.g. performing differently for users in China versus outside of China), which could have bypassed the review process depending on the country from which it was performed. |
- An EMM/MDM or mobile threat defense solution can identify the presence of unwanted or known insecure or malicious apps on devices.
- Developers can scan (or have a third party scan on their behalf) the app stores for presence of unauthorized apps that were submitted using the developer's identity.
- Thanasis Petsas, Giannis Voyatzis, Elias Athanasopoulos, Michalis Polychronakis, Sotiris Ioannidis. (2014, April). Rage Against the Virtual Machine: Hindering Dynamic Analysis of Android Malware. Retrieved December 12, 2016.
- Jon Oberheide and Charlie Miller. (2012). Dissecting the Android Bouncer. Retrieved December 12, 2016.
- Nicholas J. Percoco and Sean Schulte. (2012). Adventures in BouncerLand. Retrieved December 12, 2016.
- Tielei Wang, Kangjie Lu, Long Lu, Simon Chung, and Wenke Lee. (2013, August). Jekyll on iOS: When Benign Apps Become Evil. Retrieved December 9, 2016.
- Jon Oberheide. (2010, June 25). Remote Kill and Install on Google Android. Retrieved December 12, 2016.
- Radhesh Krishnan Konoth, Victor van der Veen, and Herbert Bos. (n.d.). How Anywhere Computing Just Killed Your Phone-Based Two-Factor Authentication. Retrieved December 12, 2016.
- Claud Xiao. (2016, February 21). Pirated iOS App Store’s Client Successfully Evaded Apple iOS Code Review. Retrieved December 12, 2016.
- Mike Murray. (2017, April 3). Pegasus for Android: the other side of the story emerges. Retrieved April 16, 2017.