Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name, location, or appearance of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.

Renaming abusable system utilities to evade security monitoring is also a form of Masquerading

ID: T1655
Sub-techniques:  T1655.001
Tactic Type: Post-Adversary Device Access
Tactic: Defense Evasion
Platforms: Android, iOS
MTC ID: APP-14, APP-31
Version: 1.0
Created: 12 July 2023
Last Modified: 08 September 2023


ID Mitigation Description
M1011 User Guidance

Users should be encouraged to only install apps from authorized app stores, which are less likely to contain malicious repackaged apps.


ID Data Source Data Component Detects
DS0041 Application Vetting API Calls

Application vetting services may potentially determine if an application contains suspicious code and/or metadata.

DS0042 User Interface System Notifications

Unexpected behavior from an application could be an indicator of masquerading.