Application Versioning

An adversary may push an update to a previously benign application to add malicious code. This can be accomplished by pushing an initially benign, functional application to a trusted application store, such as the Google Play Store or the Apple App Store. This allows the adversary to establish a trusted userbase that may grant permissions to the application prior to the introduction of malicious code. Then, an application update could be pushed to introduce malicious code.[1]

This technique could also be accomplished by compromising a developer’s account. This would allow an adversary to take advantage of an existing userbase without having to establish the userbase themselves.

ID: T1661
Sub-techniques:  No sub-techniques
Tactic Type: Post-Adversary Device Access
Platforms: Android, iOS
Contributors: Adam Lichters; Edward Stevens, BT Security
Version: 1.0
Created: 21 September 2023
Last Modified: 28 September 2023

Procedure Examples

ID Name Description
S1055 SharkBot

SharkBot initially poses as a benign application, then malware is downloaded and executed after an application update.[2]


ID Mitigation Description
M1012 Enterprise Policy

Enterprises can provision policies to mobile devices for application allow-listing, ensuring only approved applications are installed onto mobile devices.

M1006 Use Recent OS Version

Android 11 and above implement application hibernation, which can hibernate an application that has not been used for a few months and can reset the application’s permission requests.[3]


ID Data Source Data Component Detects
DS0041 Application Vetting API Calls

Application vetting services may look for indications that the application’s update includes malicious code at runtime.

Network Communication

Application vetting services may be able to list domains and/or IP addresses that applications communicate with.

Permissions Requests

Application vetting services may detect when an application requests permissions after an application update.