Deliver Malicious App via Other Means

Malicious applications are a common attack vector used by adversaries to gain a presence on mobile devices. This technique describes installing a malicious application on targeted mobile devices without involving an authorized app store (e.g., Google Play Store or Apple App Store). Adversaries may wish to avoid placing malicious applications in an authorized app store due to increased potential risk of detection or other reasons. However, mobile devices often are configured to allow application installation only from an authorized app store which would prevent this technique from working.

Delivery methods for the malicious application include:

  • Spearphishing Attachment - Including the mobile app package as an attachment to an email message.
  • Spearphishing Link - Including a link to the mobile app package within an email, text message (e.g. SMS, iMessage, Hangouts, WhatsApp, etc.), web site, QR code, or other means.
  • Third-Party App Store - Installed from a third-party app store (as opposed to an authorized app store that the device implicitly trusts as part of its default behavior), which may not apply the same level of scrutiny to apps as applied by an authorized app store.[1][2][3]

Some Android malware comes with functionality to install additional applications, either automatically or when the adversary instructs it to.[4]

ID: T1476
Sub-techniques:  No sub-techniques
Tactic Type: Post-Adversary Device Access
Tactic: Initial Access
Platforms: Android, iOS
Version: 1.2
Created: 17 October 2018
Last Modified: 28 October 2019

Procedure Examples

Name Description
Agent Smith

Agent Smith has been distributed through the 9apps app store.[20]


Android/Chuli.A was delivered via a spearphishing message containing a malicious Android application as an attachment.[6]


Anubis was distributed via phishing link in an email.[19]

Bouncing Golf

Bouncing Golf delivered GolfSpy via a hosted application binary advertised on social media.[18]


Cerberus has been delivered to the device via websites that prompt the user to "[…] install Adobe Flash Player" and then downloads the malicious APK to the device.[21]

Dark Caracal

Dark Caracal distributes Pallas via trojanized applications hosted on watering hole websites.[12]


GolfSpy can install attacker-specified applications.[18]


Gustuff was distributed via SMS phishing messages to numbers exfiltrated from compromised devices’ contact lists. The phishing SMS messages are sent from the compromised device to the target device.[14]


Marcher is delivered via a link sent by SMS or email, including instructions advising the user to modify their Android device security settings to enable apps to be installed from "Unknown Sources."[7]


MazarBOT is delivered via an unsolicited text message containing a link to a web download URI.[9]


Pallas has the ability to download and install attacker-specified applications.[12]


RedDrop uses ads or other links within websites to encourage users to download the malicious apps using a complex content distribution network (CDN) and series of network redirects. RedDrop also downloads additional components (APKs, JAR files) from different C2 servers.[10]


Riltok is distributed via phishing SMS messages from infected devices.[13]


Rotexy is distributed through phishing links sent in SMS messages as AvitoPay.apk.[15]


RuMMS is delivered via an SMS message containing a link to an APK (Android application package).[5]


SimBad can install attacker-specified applications.[17]


ViceLeaker was primarily distributed via Telegram and WhatsApp messages.[16]


YiSpecter's malicious apps were signed with iOS enterprise certificates issued by Apple to allow the apps to be installed as enterprise apps on non-jailbroken iOS devices.[11]


ZergHelper abuses enterprises certificate and personal certificates to sign and distribute apps.[8]


Mitigation Description
Enterprise Policy

On iOS, the allowEnterpriseAppTrust and allowEnterpriseAppTrustModification configuration profile restrictions can be used to prevent users from installing apps signed using enterprise distribution keys.

User Guidance

iOS 9 and above requires explicit user consent before allowing installation of applications signed with enterprise distribution keys rather than installed from Apple's App Store. Users should be encouraged to not agree to installation of applications signed with enterprise distribution keys unless absolutely certain of the source of the application. On Android, the "Unknown Sources" setting must be enabled for users to install apps from sources other than an authorized app store (such as the Google Play Store), so users should be encouraged not to enable that setting.


  • An EMM/MDM or mobile threat defense solution may be able to identify the presence of apps installed from sources other than an authorized app store.
  • An EMM/MDM or mobile threat defense solution may be able to identify Android devices configured to allow apps to be installed from "Unknown Sources".
  • Enterprise email security solutions can identify the presence of Android or iOS application packages within email messages.