1. Home
  2. Techniques
  3. Mobile
  4. Masquerading

Masquerading

ID Name
T1655.001 Match Legitimate Name or Location

Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name, location, or appearance of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.

Renaming abusable system utilities to evade security monitoring is also a form of Masquerading

ID: T1655
Sub-techniques:  T1655.001
Tactic Type: Post-Adversary Device Access
Tactic: Defense Evasion
Platforms: Android, iOS
MTC ID: APP-14, APP-31
Version: 1.0
Created: 12 July 2023
Last Modified: 24 October 2025
Version Permalink

Procedure Examples

ID Name Description
S1225 CherryBlos

CherryBlos has displayed masqueraded wallet applications if the EnabledUIMode field is set to true. CherryBlos has also displayed a fake user interface while victims make withdrawals in the legitimate Binance application if the EnableExchange field is set to true. The withdrawal transaction is ultimately transferred to the threat actor’s controlled address.[1]

S1208 FjordPhantom

FjordPhantom has masqueraded as legitimate banking applications.[2]

S1185 LightSpy

LightSpy has masqueraded a Mach-O executable as a png file.[3][4]

Mitigations

ID Mitigation Description
M1011 User Guidance

Users should be encouraged to only install apps from authorized app stores, which are less likely to contain malicious repackaged apps.

Detection Strategy

ID Name Analytic ID Analytic Description
DET0715 Detection of Masquerading AN1843

Unexpected behavior from an application could be an indicator of masquerading.
Application vetting services may potentially determine if an application contains suspicious code and/or metadata.
AN1844

Unexpected behavior from an application could be an indicator of masquerading.
Application vetting services may potentially determine if an application contains suspicious code and/or metadata.

References

  1. Trend Micro Research. (2023, July 28). Related CherryBlos and FakeTrade Android Malware Involved in Scam Campaigns. Retrieved March 28, 2025.
  2. Promon Security Research Team. (2024, October 1). Retrieved February 19, 2025.
  1. ThreatFabric. (2024, October 29). LightSpy: Implant for iOS. Retrieved January 30, 2025.
  2. Dmitry Bestuzhev. (2025, April 7). The Coordinated Kill Switch: LightSpy's iOS Destructive Plugin Architecture Manages Device Disablement. Retrieved April 14, 2025.