Adversaries may match or approximate the name or location of legitimate files or resources when naming/placing them. This is done for the sake of evading defenses and observation. This may be done by giving artifacts the name and icon of a legitimate, trusted application (i.e., Settings), or using a package name that matches legitimate, trusted applications (i.e.,
Adversaries may also use the same icon of the file or application they are trying to mimic.
Agent Smith can impersonate any popular application on an infected device, and the core malware disguises itself as a legitimate Google application. Agent Smith's dropper is a weaponized legitimate Feng Shui Bundle.
Chameleon has disguised itself as other applications, such as a cryptocurrency app called ‘CoinSpot’, and IKO bank in Poland. It has also used familiar icons, such as the Chrome and Bitcoin logos.
GoldenEagle has inserted trojan functionality into legitimate apps, including popular apps within the Uyghur community, VPNs, instant messaging apps, social networking, games, adult media, and Google searching.
|Red Alert 2.0
|X-Agent for Android
|XLoader for Android
Users should be encouraged to only install apps from authorized app stores, which are less likely to contain malicious repackaged apps.
Application vetting services may potentially determine if an application contains suspicious code and/or metadata.
Unexpected behavior from an application could be an indicator of masquerading.