An adversary may push an update to a previously benign application to add malicious code. This can be accomplished by pushing an initially benign, functional application to a trusted application store, such as the Google Play Store or the Apple App Store. This allows the adversary to establish a trusted userbase that may grant permissions to the application prior to the introduction of malicious code. Then, an application update could be pushed to introduce malicious code.[1]
This technique could also be accomplished by compromising a developer’s account. This would allow an adversary to take advantage of an existing userbase without having to establish the userbase themselves.
| ID | Name | Description |
|---|---|---|
| S1055 | SharkBot |
SharkBot initially poses as a benign application, then malware is downloaded and executed after an application update.[2] |
| ID | Mitigation | Description |
|---|---|---|
| M1012 | Enterprise Policy |
Enterprises can provision policies to mobile devices for application allow-listing, ensuring only approved applications are installed onto mobile devices. |
| M1006 | Use Recent OS Version |
Android 11 and above implement application hibernation, which can hibernate an application that has not been used for a few months and can reset the application’s permission requests.[3] |
| ID | Data Source | Data Component | Detects |
|---|---|---|---|
| DS0041 | Application Vetting | API Calls |
Application vetting services may look for indications that the application’s update includes malicious code at runtime. |
| Network Communication |
Application vetting services may be able to list domains and/or IP addresses that applications communicate with. |
||
| Permissions Requests |
Application vetting services may detect when an application requests permissions after an application update. |