{ "id": "57307553-10c4-4752-8dda-6fafd45de528", "created_at": "2026-04-06T00:06:07.478087Z", "updated_at": "2026-04-10T03:22:06.674904Z", "deleted_at": null, "sha1_hash": "9119031a8c07e5a9591cf30e0e7c23ae02494c5d", "title": "APP-14 · Mobile Threat Catalogue", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 51151, "plain_text": "APP-14 · Mobile Threat Catalogue\r\nArchived: 2026-04-05 23:42:27 UTC\r\nMobile Threat Catalogue\r\nMasquerade as Legitimate Application\r\nContribute\r\nThreat Category: Malicious or privacy-invasive application\r\nID: APP-14\r\nThreat Description: Like well-behaved apps, a trojan app offers some functionality to the user, though a trojan also\r\nincludes hidden functionality that is malicious or otherwise undesirable. One technique for deploying trojan functionality is\r\nto obtain the install packages for a legitimate app, decompile/disassemble it, introduce the trojan, and then generate a new\r\ninstall package. The app will appear to a user to be the legitimate app. Distribution of trojans is commonly achieved by\r\nsubmission to open 3rd party app stores or social engineering attacks claiming to offer users the app with incentives (lower\r\ncost, free, extras unlocked, etc.).\r\nThreat Origin\r\nThe Google Android Security Team’s Classifications for Potentially Harmful Applications 1\r\nMobile Threat Protection: A Holistic Approach to Securing Mobile Data and Devices 2\r\nDissecting Android Malware: Characterization and Evolution 3\r\nExploit Examples\r\nNew Android Malware Family Evades Antivirus Detection by Using Popular Ad Libraries 4\r\nSlembunk: An Evolving Android Trojan Family Targeting Users of Worldwide Banking Apps 5\r\nIncident Response for Android and iOS 6\r\nCloned banking app stealing usernames sneaks into Google Play 7\r\nCVE Examples\r\nNot Applicable\r\nPossible Countermeasures\r\nEnterprise\r\nDeploy MAM or MDM solutions with policies that prohibit the sideloading of apps, which may bypass security checks on\r\nthe app.\r\nDeploy MAM or MDM solutions with policies that prohibit the installation of apps from 3rd party (unofficial) app stores.\r\nUse application threat intelligence data about potentially harmful apps installed on COPE or BYOD devices\r\nMobile Device User\r\nUse Android Verify Apps feature to identify potentially harmful apps.\r\nhttps://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-14.html\r\nPage 1 of 2\n\nMobile App Developer\r\nTo reduce the ease of an attacker to abuse existing app functionality, only request access to the minimal set of shared data\r\nstores (e.g., contacts, calendar), OS services (e.g. location services), and device sensors (e.g. camera, microphone) necessary\r\nfor the app to provide functionality.\r\nReferences\r\n1. The Google Android Security Team’s Classifications for Potentially Harmful Applications, Apr. 2016;\r\nhttps://static.googleusercontent.com/media/source.android.com/en//security/reports/Google_Android_Security_PHA_classificati\r\n[accessed 8/25/2016] ↩\r\n2. L. Neely, Mobile Threat Protection: A Holistic Approach to Securing Mobile Data and Devices, SANS Institute,\r\n2016; www.sans.org/reading-room/whitepapers/analyst/mobile-threat-protection-holistic-approach-securing-mobile-data-devices-36715 [accessed 8/25/2016] ↩\r\n3. Y. Zhou and X. Jiang, “Dissecting Android Malware: Characterization and Evolution”, in Proceedings of the 2012\r\nIEEE Symposium on Security and Privacy, 2012, pp 95-109; http://ieeexplore.ieee.org/document/6234407/?\r\narnumber=6234407 [accessed 8/25/2016] ↩\r\n4. C. Zheng and Z. Xu, “New Android Malware Family Evades Antivirus Detection by Using Popular Ad Libraries”,\r\nblog, 7 July 2015; http://researchcenter.paloaltonetworks.com/2015/07/new-android-malware-family-evades-antivirus-detection-by-using-popular-ad-libraries/ [accessed 8/25/2016] ↩\r\n5. W. Zhou et al., “Slembunk: An Evolving Android Trojan Family Targeting Users of Worldwide Banking Apps”, blog,\r\n17 Dec. 2015; www.fireeye.com/blog/threat-research/2015/12/slembunk_an_evolvin.html [accessed 8/25/2016] ↩\r\n6. Unauthorized App Discovered, in Incident Response for Android and iOS, www.nowsecure.com/resources/mobile-incident-response/en/case-studies/unauthorized-app-discovered.html [accessed 8/25/2016] ↩\r\n7. M. Kelly, “Cloned banking app stealing usernames sneaks into Google Play”, blog, 24 June 2014;\r\nhttps://blog.lookout.com/blog/2014/06/24/bankmirage/ [accessed 8/25/2016] ↩\r\nSource: https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-14.html\r\nhttps://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-14.html\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-14.html" ], "report_names": [ "APP-14.html" ], "threat_actors": [ { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775433967, "ts_updated_at": 1775791326, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/9119031a8c07e5a9591cf30e0e7c23ae02494c5d.pdf", "text": "https://archive.orkl.eu/9119031a8c07e5a9591cf30e0e7c23ae02494c5d.txt", "img": "https://archive.orkl.eu/9119031a8c07e5a9591cf30e0e7c23ae02494c5d.jpg" } }