An adversary may push an update to a previously benign application to add malicious code. This can be accomplished by pushing an initially benign, functional application to a trusted application store, such as the Google Play Store or the Apple App Store. This allows the adversary to establish a trusted userbase that may grant permissions to the application prior to the introduction of malicious code. Then, an application update could be pushed to introduce malicious code.[1]
This technique could also be accomplished by compromising a developer’s account. This would allow an adversary to take advantage of an existing userbase without having to establish the userbase themselves.
| ID | Name | Description |
|---|---|---|
| S1055 | SharkBot |
SharkBot initially poses as a benign application, then malware is downloaded and executed after an application update.[2] |
| ID | Mitigation | Description |
|---|---|---|
| M1012 | Enterprise Policy |
Enterprises can provision policies to mobile devices for application allow-listing, ensuring only approved applications are installed onto mobile devices. |
| M1006 | Use Recent OS Version |
Android 11 and above implement application hibernation, which can hibernate an application that has not been used for a few months and can reset the application’s permission requests.[3] |
| ID | Name | Analytic ID | Analytic Description |
|---|---|---|---|
| DET0652 | Detection of Application Versioning | AN1735 |
Application vetting services may detect when an application requests permissions after an application update. |
| AN1736 |
Application vetting services may detect when an application requests permissions after an application update. |